Tuesday, 15 February 2022 14:30

Google Patches the First Zero-Day in Chrome for 2022

Written by

Reading time is around minutes.

Google has announced the release of a new version of Chrome. The new version comes with fixes for eight vulnerabilities. Once of these vulnerabilities CVE-2022-0609, which is describes as a user-after-free vulnerability is already being exploited in the wild. This has led them to advise users to updated Chrome as soon as possible to avoid compromise. The flaws were found by Google’s own Threat Analysis Group.

A user-after-free vulnerability is when an application or system reuses freed memory space. Let’s take the following example:
Memory is allocated to Pointer A > Pointer A then frees up the memory. This freed up memory is allocated to Pointer B by the system. At this stage someone can use Pointer A to reference the memory space which causes the memory space to become corrupted. If the attack is planned right and points to shellcode, an attacker can execute arbitrary code on the target system.

Five of the eight vulnerabilities addressed in Chrome version 98.0.4758.102 are use-after-free in different components of the browser, but only one has be identified as having a working exploit in the wild. With the large footprint that Chrome has these vulnerabilities, if left unpatched could represent a significant threat to security, not exactly what you want to see.

Browser vulnerabilities are a great attack vector and are often used by initial access groups to build on their hoard of zombies and bots. They are also well used in targeted attacks and rank up there with all the fun macro vulnerabilities found in Microsoft Office Products.

Although this is the first 0-Day that Google has identified and addressed in 2022, it is certainly not the first that we have seen hit the internet making 2022 a busy year and we are just in the 2nd month. Google announced and patched a total of 17 zero-days in 2021, I wonder if they will top that number this year?

Happy patching.

Read 1374 times

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.