Google Chrome patches mysterious new zero-day bug – update now
Credit to Author: Paul Ducklin| Date: Mon, 28 Mar 2022 14:18:59 +0000
Last time we reported on a Chrome zero-day flaw was back in February 2022.
Back then, Google noted that the Chrome browser – and, by implication, all other browsers based on the Chromium-project code and its underlying Blink rendering engine – had been patched against a range of memory mismanagement bugs that were potentially exploitable for remote code execution (RCE).
In the browser world, RCE vulnerabilities, if successfully abused, often mean that merely viewing a web page containing booby-trapped content could leave you with uninvited, unapproved program code implanted onto your computer – an active malware infection, to put it bluntly.
(Note that we used the word could above, not will, given that browser exploits are often fickle flaws that are unreliable even when used deliberately in anger, perhaps leaving you with a crashed browser but an otherwise unharmed computer.)
Anyway, back in February 2022, none of the bugs listed by Goole got a truly dangerous rating of “Critical” (they maxxed out at the level “High”), but one of them, dubbed CVE-2022-0609, was nevertheless accompanied by the admittedly rather vague words: “Google is aware of reports that an exploit for CVE-2022-0609 exists in the wild.”
Saying that someone’s told you that a working exploit exists is not the same as admitting that you’ve actually seen the exploit yourself, of course, and that, in turn, means that you can only assume that the patch you’ve just created really does prevent any alleged “in-the-wild” attacks.
Indeed, in the case of CVE-2022-0609, Google’s Threat Analysis Group needed until late in March 2022 to follow up with a detailed report.
In that report, Google’s researchers claimed they’d tracked the first use of this exploit right back to the start of January 2022, and suggested that it had been abused by two different North Korean hacking groups.
Once more unto the breach…
Well, March 2022 has brought us another Chrome exploit listed with the dreaded words, “Google is aware of reports that an exploit for CVE-2022-1096 exists in the wild.”
In fact, CVE-2022-1096 is the only security fix listed in the 2022-03-25 Chrome update advisory, which announces the release of Chrome version 99.0.4844.84.
Unfortunately, as you’ll see if you read Google’s report on the CVE-2022-0609 zero-day mentioned above, details such as who’s using a known exploit, where they’re using it, what they’re using it for, and how reliably the exploit works in real life, can be hard to figure out, especially if the attackers guard the exploit carefully.
Indeed, if you’ve ever experienced what’s known in the jargon as malvertising (booby-trapped web content that’s delivered semi-randomly via a hacked ad network, causing intermittent and unpredictable malware warnings to pop up, perhaps even on mainstream sites), you’ll know just how elusive web threats can be:
Even if your chosen anti-virus software detects and blocks an attack against your browser, so you know to report it, there’s no guarantee that the threat researchers who investigate will be able to coax the same misbehaviour that you did out of the compromised servers.
And even if you are able to find left-over remnants of the attack, such as temporary JavaScript code left behind in a cache file on disk, it won’t be much use if it depended on a random run-time decryption key that was only ever stored in memory…
…especially if the exploit succeeded only because your browser crashed and took the memory-based decryption key with it.
What to do?
Until Google is able to acquire, and decides to share, specific details about this CVE-2022-1096 zero-day attack, there aren’t any definitive indicators of compromise (IoCs) that you can rely upon to see whether it’s been used against you.
Your best bet, as always, is: Patch Early, Patch Often.
If you’re a Chrome (or Chromium) user, you can type the the special URL chrome://version
into the address bar to show you the precise details of the version you’re currently running.
(Google’s security advisory notes that the update applies to Windows, Mac and Linux; there’s no mention of what version number to look for on Android, or even if Chrome on Android is affected.)
If Chrome hasn’t already fetched the latest version for you automatically, go to DotDotDot (the More menu) in the top right, then use Help and About to access the update dialog: you want 99.0.4844.84 or later.