Regístrese ahora para una mejor cotización personalizada!

Google races out patch for this high-severity Chrome browser zero-day

Jul, 05, 2022 Hi-network.com
Image: 10'000 Hours/GETTY

Google has released an update to Chrome 103 for Windows desktops that fixes a flaw in its implementation of WebRTC, which it warns is already under attack. 

The issue that Chrome update 103.0.5060.114 for Windows addresses is a "heap buffer overflow in WebRTC", referring to when the buffer allocated in the heap portion of memory can be overwritten for nefarious means. 

Google

  • Every product unveiled at the Made by Google event: Pixel 8 Pro, Watch 2, Assistant, more
  • Pixel 8 Pro vs. Pixel 7 Pro: Is it worth the upgrade?
  • Your Pixel Buds Pro are getting a major software upgrade, and it's totally free
  • How to preorder the Google Pixel 8, Pixel Watch 2, and Pixel Buds Pro now
  • ChatGPT vs. Bing Chat vs. Google Bard: Which is the best AI chatbot?

WebRTC is the open web standard for building video and voice applications for real-time communications (RTC). It's enabled by JavaScript in the browser and the standard is supported by all major browser vendors.

SEE:These hackers are spreading ransomware as a distraction - to hide their cyber spying

Google hasn't offered any details on the bug, other than it's been assigned the identifier CVE-2022-2294, has a "high"-severity rating, and that Jan Vojtesek of the Avast Threat Intelligence team reported it to Google on July 1. 

It did, however, acknowledge there is an exploit for it circulating in the public. 

"Google is aware that an exploit for CVE-2022-2294 exists in the wild," it says in a blogpost announcing the stable Chrome release for desktop. 

Google has also since released a fix for the same WebRTC flaw in Chrome for Android. 

MITRE says in its entry for heap-based buffer overflows: "Heap-based overflows can be used to overwrite function pointers that may be living in memory, pointing it to the attacker's code. Even in applications that do not explicitly use function pointers, the run-time will usually leave many in memory. For example, object methods in C++ are generally implemented using function pointers. Even in C programs, there is often a global offset table used by the underlying runtime."

Google says it doesn't reveal details about bugs until the majority of users are updated with a fix. It might also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven't yet fixed.

The update also fixes two other high-severity flaws. CVE-2022-2295 is a type confusion in Chrome's V8 JavaScrip engine, while CVE-2022-2296 is a "use after free" memory issue in Chrome OS Shell. 

SEE: Google: Half of zero-day exploits linked to poor software fixes

As of June 15, Google's security project Google Project Zero (GPZ) had counted 18 0-days this year that had been exploited in the wild. Two of the 18 0-days affected Chrome.

GPZ researcher Maddie Stone said that at least half of the 0-days GOZ had seen since the beginning of 2022 "could have been prevented with more comprehensive patching and regression tests."

Many of the 0-days in the first half of 2022 were just variants of previously patched bugs in Microsoft Windows, Apple iOS and WebKit, and Google Chrome. As she noted, the root cause issue was not addressed, allowing attackers to revisit the original bug through a different path. 

The problem with incomplete patches was that it was a wasted opportunity to "make 0-day hard" for attackers. 

"The goal is to force attackers to start from scratch each time we detect one of their exploits: they're forced to discover a whole new vulnerability, they have to invest the time in learning and analyzing a new attack surface, they must develop a brand new exploitation method. To do that effectively, we need correct and comprehensive fixes," she said.

Security

8 habits of highly secure remote workersHow to find and remove spyware from your phoneThe best VPN services: How do the top 5 compare?How to find out if you are involved in a data breach -- and what to do next
  • 8 habits of highly secure remote workers
  • How to find and remove spyware from your phone
  • The best VPN services: How do the top 5 compare?
  • How to find out if you are involved in a data breach -- and what to do next

tag-icon Etiquetas calientes: tecnología seguridad

Copyright © 2014-2024 Hi-Network.com | HAILIAN TECHNOLOGY CO., LIMITED | All Rights Reserved.