Flash Notices

Flash Notice: Google Patches Actively Exploited Zero-Day

Written by Marketing | Dec 7, 2022 2:54:05 PM

overview

A zero-day vulnerability impacting all browser versions of Google Chrome (including Opera, Brave, Vivaldi, and Microsoft Edge) is being actively exploited by threat actors. CVE-2022-4262 is a type confusion vulnerability in the V8 JavaScript engine of Google Chrome.  

Although Google didn’t release technical details regarding the vulnerability, it has been reported that CVE-2022-4262 has a high security rating and allows remote attackers to exploit heap (memory) corruption through crafted HTML pages. According to The Center for Internet Security, successful exploitation of the vulnerability could allow an attacker to execute code in the context of the logged-on user. This means that the attacker could view, change, delete data, create new accounts with full user rights, or install programs.  

Google stated in their security advisory that details regarding the vulnerability are kept restricted until most users are updated with a fix. Browser updates are currently being rolled out and users will receive updates to version v108.0.5359.94 (Mac and Linux) and v108.0.5359.94/.95 (Windows). CVE-2022-4262 has been added to the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog, which means that government agencies have until December 26, 2022, to apply the patches.  

 

 

How Avertium is Protecting Our CUSTOMERS

  • Fusion MXDR is the first MDR offering that fuses together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts. 
  • Avertium offers VMaaS to provide a deeper understanding and control over organizational information security risks.  If your enterprise is facing challenges with the scope, resources, or skills required to implement a vulnerability management program with your team, outsourced solutions can help you bridge the gap. 
  • Avertium offers Zero Trust Network as a Service (ZTNaaS) for any organization that  wants to control their attack surface. The zero-trust security model delivers exactly what the name promises: it is an IT security concept that specifies no access is allowed until the successful completion of authentication and authorization processes.  


 

Avertium's recommendations    

  • To Update Chrome to version 108.0.5359.94  
    • Chrome menu > Help > About Google Chrome. The browser automatically checks for updates and will install them with no user interaction after rebooting the browser.  
  • To Update Microsoft Edge to version 108.0.1462.41 
    • Please see Microsoft’s guidance located here 


 

INDICATORS OF COMPROMISE (IOCS):

At this time, there are no known IoCs associated with CVE-2022-4262. Avertium’s threat hunters remain vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, please reach out to your Avertium Service Delivery Manager or Account Executive. 


 

 

SUPPORTING DOCUMENTATION

Chrome Releases: Stable Channel Update for Desktop (googleblog.com) 

Google Chrome zero-day exploited in the wild (CVE-2022-4262) - Help Net Security 

Google Rolls Out Emergency Patch for Ninth Zero-Day Chrome Vulnerability of 2022 | Spiceworks 1 

Google Chrome emergency update fixes 9th zero-day of the year (bleepingcomputer.com) 

 

 

 

 

 

Related Resource:  The Pitfalls of Online Chat Features