Over the Fourth of July weekend, Google released a patch for a high-severity Chrome zero-day vulnerability. The vulnerability is being exploited in the wild and affects Google Chrome and other chromium-based browsers. The heap-based buffer overflow vulnerability is found in the WebRTC (Web-Real-Time Communications) component.
The vulnerability is being tracked as CVE-2022-2294 and allows for attackers to breach Chrome user’s privacy. A successful heap overflow exploit can allow for program crashes, bypassing security solutions, or unfettered code execution. Although the vulnerability has been exploited in the wild, Google has yet to release any information or technical details regarding instances of successful exploitation. Their advisory stated that “Access to bug details and links may be kept restricted until a majority of Chrome users are updated with a fix.”
CVE-2022-2294 is the fourth zero-day that Google has patched in 2022. The other zero-day vulnerabilities include:
Chrome version 103.0.5060.114 was issued in Google’s Stable Desktop channel but Google stated it’s a matter of days or weeks before it reaches the entire userbase. However, because Google is delaying the release of the technical details surrounding the attacks, every Chrome user will have time to patch. Here is a list of other Chromium browsers that you should patch:
Because CVE-2022-2294 has been exploited by hackers in the wild, Avertium strongly urges that you update Google Chrome as soon as possible.
Please patch your Google Chrome browser as soon as possible to the latest version (103.0.5060.114 for Windows, macOS, and Linux and to 10.5060.71 for Android).
At this time, there are no known IoCs associated with CVE-2022-2294. Avertium’s threat hunters remain vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, reach out to your Avertium Service Delivery Manager or Account Executive.
Google Patches Actively Exploited Chrome Bug | Threatpost
Google Releases Patch for Chrome CVE-2022-2294 Exploit | iTech Post
Brave Release Notes | Brave Browser
Minor update (8) for Vivaldi Desktop Browser 5.3 | Vivaldi Browser
Google Chrome emergency update fixes zero-day exploited in attacks (bleepingcomputer.com)
Google Chrome emergency update fixes zero-day used in attacks (bleepingcomputer.com)
Emergency Google Chrome update fixes zero-day used in attacks (bleepingcomputer.com)
Related Reading: Flash Notice: Zero-Day Google Chrome Type Confusion Vulnerability
Contact us for more information about Avertium’s managed security service capabilities.