Google Zero Day Vulnerability (CVE-2022-1096) Affects 3.2 Billion Chrome Users

Originally published at: https://cloudsek.com/threatintelligence/google-zero-day-vulnerability-cve-2022-1096-affects-3-2-billion-chrome-users/

Category: Vulnerability Intelligence Vulnerability Class: Zero-Day Vulnerability CVE ID: CVE-2022-1096 CVSS:3.0 Score: To be assigned

Executive Summary

  • Google released a security update to patch a critical zero-day vulnerability in Windows, Mac, and Linux operating systems with Chrome 99.0.4844.84.
  • The zero-day vulnerability tracked as CVE-2022-1096, is a type of confusion vulnerability in the Chrome V8 JavaScript engine.
  • Google claims that the vulnerability was reported by an anonymous security researcher. The technical details and exploit for this vulnerability have been kept confidential until a majority of users patch it.

![](upload://lS0wRvD5UoGbM6ZpETbiOHg7gdf.png)

Analysis

  • CVE-2022-1096 is a “Type Confusion” vulnerability in the V8 Chrome Javascript engine. V8 is responsible for processing JavaScript code for Chrome. 
  • Type confusion is a programming bug in which an app uses a given “type” of input to start data execution activities, but is deceived into treating the input as a different “type.” 
  • The most critical type confusion vulnerabilities can allow arbitrary code execution. Hence the attackers can confuse the V8 engine, enabling it to perform unauthorized actions like reading and writing data on the victim’s machine.
  • Chrome has 3.2 billion users, hence the exploit to this vulnerability has been kept confidential and has not been released on surface web or dark web forums. 
  • Google stated that it will release more information about this vulnerability once a majority of its users install the update, thereby patching the vulnerability.
  • This vulnerability also affects Chromium browsers like Microsoft Edge and Brave. Chrome and Microsoft Edge have released auto-updates to fix the vulnerability.

Impact & Mitigation

Impact Mitigation
This is a critical vulnerability that could be exploited by threat actors to target ~3.2 billion users across the world. The previous zero-day vulnerability reported by Google (CVE-2022-0609) was actively exploited by North Korean threat actors before it was patched. Update Chrome to 9.0.4844.84  and version Microsoft Edge to 99.0.1150.55. Refer to the Google Security Advisories: Countering threats from North Korea Chrome Releases: Stable Channel Update for Desktop 

References