Google released a patch for their fifth zero-day vulnerability this year. Google describes CVE-2022-2856 as a high-severity bad input validation vulnerability impacting Google Chrome. Like most of Google’s zero-day vulnerabilities, there are little details surrounding CVE-2022-2856.
Google’s published advisory states that the bug is an “insufficient validation of untrusted input in Intents”, which is a feature that allows the launch of applications and web services from a web page. Because intents allow a web page to access and run a third-party app over a browser session, CVE-2022-2856 has likely given attackers the opportunity to distribute malicious apps through a web page or through phishing emails.
According to MITRE, input validation checks potentially dangerous inputs to make sure that the inputs are safe for processing within the code, or when communicating with other components. If there is bad input validation in software, it can lead to overriding protections, buffer overflows, SQL injections, cross-site scripting, and more.
Google has fixed the flaw, and the patch for the vulnerability should be ready for Chrome browsers for Windows, macOS, and Linux within the next few days or weeks via Chrome version 104.0.5112.101/102. To check which version of Chrome you are running, go to the About Google Chrome function where the browser’s internal checker will scan for updates. The function will also automatically start downloading the latest version of Chrome once it is available.
This is the fifth zero-day for Google this year, making the Google browser popular amongst attackers. Attackers are now prioritizing ways to exploit Chrome, and Avertium advises that you switch to the latest version of the browser as soon as possible.
INDICATOR'S OF COMPROMISE (IOCS):
At this time, there are no known IoCs associated with CVE-2022-2856. Avertium’s threat hunters remain vigilant in locating IoCs for our customers. Should any IoCs be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, please reach out to your Avertium Service Delivery Manager or Account Executive.
Chrome Releases: Stable Channel Update for Desktop (googleblog.com)
CWE - CWE-20: Improper Input Validation (4.8) (mitre.org)
Google fixes fifth Chrome zero-day bug exploited this year (bleepingcomputer.com)
Google Patches Fifth Actively Exploited Zero-Day Flaw in Chrome This Year | PCMag
Related Reading: New Ransomware Family, HavanaCrypt, Disguises Itself as Fake Google Update
Contact us for more information about Avertium’s managed security service capabilities.