Google Chrome emergency update fixes the actively used zero-day flaw

Google releases an urgent update for Chrome to patch the exploited vulnerability

Chrome exploitable zero-day flawNewest Google Chrome update addresses three zero-day flaws

Google Chrome update released to tackle the exploitable and actively used in attacks zero-day flaw. Google patches three security issues in the Chrome web browser. One of them was actively exploited in the wild recently.[1] This bug is described as a high-severity bug and a case of type confusion in the V8 JavaScript engine. Tracked as CVE-2022-1364, the flaw was first reported on April 13.[2]

To avoid further exploitation and abuse of such flaws, the usage and details on threat actors and flaw issues have been private and not disclosed. However, the company admits that the zero-day flaw[3] was actively exploited by attackers. The patch addresses this and two additional security vulnerabilities in Chrome. This is the second type of confusion-related bug in V8 addressed lately.

These other flaws are: CVE-2022-0609 is a use-after-free in Animation flaw found on February 14th, and CVE-2022-1096 – type confusion in V8 bug disclosed on March 25th. Users are recommended to update to the 100.0.4896.127 version for Windows, Mac, and Linux to patch the vulnerabilities.[4]

Zero-day bugs bother Google

The particular zero-day vulnerability fixed with the newest update is a high severity flaw falling in the type confusion weakness category. These bugs generally lead to crashes on the web browser when successfully exploited by threat attackers. Threat actors can exploit them to execute the arbitrary code on the machine by reading or writing the memory of buffer bounds.

Google reports to have detected attacks where these vulnerabilities have been exploited, these details can expose possible ways to abuse the security flaws like this. These details might be publicized after the majority of users have their patches applied. This is a way to avoid issues and exploitation.

This is the issue for Google recently because, in these four months of 2022, the company disclosed three zero-day flaws. Such vulnerabilities can be exploited by hacker groups and used in campaigns pushing malware via phishing emails or using fake messages. It happened with one of them when the North-Korean-backed state hackers exploited the flaw for their attacks.[5]

Microsoft patched 128 zero-day flaws recently

The April 2022 Patch Tuesday addressed major security vulnerabilities, and Microsoft dealt with a bunch of bugs in the firm's customary monthly batch of security fixes. The patch addresses a bunch of security issues that include major zero-day vulnerabilities that once exploited, can create major issues.

These two vulnerabilities impacted Remote Procedure Call Runtime, and the Windows Network File System has CVSS scores of 9.8. These bugs can be exploited to trigger cyber attacks and lead to remote code execution, the elevation of privilege issues, denial-of-service attacks, leaked data, and spoofing.

Last month Microsoft addressed 71 flaws with the batch of patches. There were two critical bugs in that release. Microsoft wants to stop the Patch Tuesday and make the new release of Windows Autopatch that would help to patch software easier. Besides the particular emergency out-of-schedule releases, all patches would be applied quickly once released.

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions

References
Files
Software
Compare