Google on Wednesday released a new round of Chrome security updates headlined by a zero-day flaw that is actively targeted in nature.
The tech giant said its August Security Update includes a total of 11 patches, including fixes for 10 CVE-listed vulnerabilities. One Chrome vulnerability, CVE-2022-2852, is rated as critical risk, six are rated as high risk, and the remaining three are all rated as medium risk.
The update included a fix for CVE-2022-2856, a zero-day vulnerability in how the Intents component handles input validation. Google noted that the vulnerability is currently being exploited in the wild.
Google’s advisory didn’t provide much information about the vulnerability itself, only describing the issue as “insufficient validation of untrusted inputs in Intents.” Intents is an API that allows the Chrome browser to open external applications.
Ashley Shen and Christian Resell of Google Threat Analysis Group were credited with reporting the bug to Chrome’s developer team.
While Google wasn’t very forthcoming with details about the underattacked vulnerability, researchers were able to understand enough to know that the bug could potentially be dangerous when exploited.
“Web Intents is based on Android Intents and provides web application integration for developers,” Dustin Childs, communications manager for Trend Micro Zero Day Initiative, told TechTarget Editorial. “The bug likely manifests when a user attempts to use an intent for some purpose. If a threat actor can deliver a specially crafted response, they could achieve code execution on the target system.
Satnam Narang, senior research engineer at Tenable, told TechTarget Editorial that the Chrome vulnerability could potentially be tied to other bugs to evade browser sandbox protections and perform additional exploits.
“That’s the biggest concern with flaws like these; their use as part of a chain of vulnerability,” Narang explained.
“Generally, we know that when a zero-day in a browser has been exploited, it’s often tied to Advanced Persistent Threat (APT) groups, and their focus is narrower towards a specific subset of targets. , which would pose less of a threat on a broader level. But once those details become available and proof-of-concept exploits start circulating, attackers of all types are quick to incorporate them into their playbooks.
According to Tenable, CVE-2022-2856 is the fifth zero-day flaw that Google patched in Chrome this year. In July, a zero-day flaw in WebRTC, CVE-2022-2294, was found to be attacked in the wild, and in March Google disclosed that an unpatched vulnerability in the browser, CVE-2022-0609, had been exploited by North Korean hackers for six full weeks before it was discovered by security researchers.
Users and administrators are advised to update Chrome as soon as possible. In most cases, this can be done by simply restarting the browser.