On March 23, 2022, Google was alerted about a dangerous zero-day vulnerability found in all Chromium based browsers. An anonymous sender discovered the vulnerability, which is being tracked as CVE-2022-1096. The bug is a type confusion vulnerability and is currently being exploited by threat actors in the wild – making all Chromium based browsers vulnerable to attacks. The browsers included are: Microsoft’s Edge, Amazon Silk, Brave, Opera, Samsung Internet, Vivaldi, and Yandex.
Type confusion is a coding issue that happens when a threat actor creates two pointers to the same object with incompatible type tags – tricking the recipient into thinking that they are being sent valid data when they are not. Attacks on the V8 component of Chrome are not common but are among the most dangerous. Google has not released the details surrounding the bug because their policy is to restrict details until an update is installed by a majority of its users.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.” - Google
CISA has ordered that all private and public sectors patch devices as soon as possible. Although Google has released an emergency update with a security fix in Chrome (99.0.4844.84), an official patch for Windows, Mac, and Linux will not be released for a couple of weeks. CVE-2022-1069 has come after two North Korean state-sponsored threat actors exploited another Chrome zero-day flaw (CVE-2022-0609).
CVE-2022-0609 is a remote code execution (RCE) flaw that allowed for threat actors to exploit a use-after-free vulnerability found in Chrome’s animation component. The vulnerability was found by Google’s TAG team and was exploited by two groups, tracked as Operation Dream Job and Operation AppleJeus. The threat actors targeted U.S. based organizations within news media, IT, cryptocurrency, and fintech industries. The vulnerability has since been successfully patched by Google.