This week on Cytidel Intel Insights we're looking at something that will affect most of you... or statistically, 70% of you. On the 4th of July, Google released a security advisory about 3 high severity vulnerabilities, one of which is an actively exploited zero-day affecting Google Chrome and other Chromium browsers.
On this week’s Cytidel Intelligence Insights we are looking at a number of new vulnerabilities that were disclosed this week by Google regarding zero-days in Google Chrome, the most widely used Internet Browser globally.
Posting on the official Chrome blog, Google said the vulnerability (CVE-2022-2294) affects Windows and Android users, admitting "Google is aware that an exploit for CVE-2022-2294 exists in the wild." Alongside CVE-2022-2294 comes two additional high-severity vulnerabilities, CVE-2022-2295 and CVE-2022-2296.
(Note: If you're getting to this article early enough, you'll notice that the CVE details have not yet been published and the pages appear empty. This is explained below.)
What Is It?
Yes, what is it? That’s the interesting thing about this article! The amount of information released about these vulnerabilities has been minimal thus far. This is a tactic utilised by Google to ensure that all users have a chance to upgrade to the fixed version of the browser before disclosing additional information about the vulnerabilities to potential threat actors. So far, we know the following:
High - CVE-2022-2294 [Zero-Day threat]: Heap buffer overflow in WebRTC. Reported by Jan Vojtesek from the Avast Threat Intelligence team on 2022-07-01
High - CVE-2022-2295: Type Confusion in V8. Reported by avaue and Buff3tts at S.S.L. on 2022-06-16
High - CVE-2022-2296: Use after free in Chrome OS Shell. Reported by Khalil Zhani on 2022-05-19
So there are vulnerabilities in WebRTC, V8 and the Chrome OS Shell. I won't waste time getting into the details of what these components do, as the important thing for most IT end-users isn’t to understand them, it’s to understand that they are currently being exploited, in the wild, by threat actors.
Why Should I Care?
Google Chrome is the most widely used web browser on the planet. Some of you might be reading this thinking: “well that’s ok, I don’t use Google Chrome, this doesn’t affect me”. Hmmm, check again… Google Chrome is built on top of an open-sourced web browser project known as Chromium. WebRTC is a Chromium component, not specific to Google Chrome.
This means that many, if not all, of the below browsers, may also be vulnerable to this exploit:
Microsoft Edge
Opera
Opera Neon
Opera GX
Vivaldi Browser
Brave Browser
Epic Privacy Browser
While we will be discussing Google Chrome for the remainder of the article, you should also keep an eye out for software upgrades related to any of the above browsers if you use them.
Am I Vulnerable?
Statistically speaking… probably. Over 70% of internet users are using a Chromium Browser to get online. If you are one of them and haven’t upgraded your browser in the last 3-4 days, you are likely vulnerable to these exploits.
But the good news is… it’s a quick fix.
What Can I Do?
The zero-day vulnerability, CVE-2022-2294, was published on 1st July 2022 (with limited information). Three days later, on 4th July 2022, the Google team released Chrome v103.0.5060.114 which patched 4 vulnerabilities in total.
Updating Chrome is simple – in your browser navigate to:
chrome://settings/help
Chrome will immediately check for updates and download the latest version.
After the update, the version should be 103.0.5060.114 or later.
As there are so many of these vulnerabilities being released, it is a good idea to regularly check for Chrome updates and keep your browser up to date as often as possible.
For more information on weekly vulnerability trends, make sure to subscribe to Cytidel on LinkedIn to keep up to date. If you have any questions on how Cytidel can help your company or organisation with its’ vulnerability management please contact hello@cytidel.com