Cloud Security, Vulnerability Management

Google patches fourth Chrome zero-day this year

The Google logo adorns the outside of its office June 3, 2019, in New York City. (Photo by Drew Angerer/Getty Images)
Google on Monday released a patch for CVE-2022-2294, a high-severity zero-day vulnerability that was found in the wild. (Photo by Drew Angerer/Getty Images)

Google on Monday released a patch for CVE-2022-2294, a high-severity zero-day vulnerability that was found in the wild, the fourth such Chrome zero-day this year.

The patch was made in the following Chrome update: 103.0.5060.114 for Windows, described as a heap buffer overflow in WebRTC.

Google said Jan Vojtesek, a researcher from the Avast Threat Intelligence team, has been credited for reporting and discovering the vulnerability on July 1, 2022.

This new CVE is a serious vulnerability that could lead to arbitrary remote code execution by simply visiting a malicious website, said Patrick Tiquet, vice president, security and architecture at Keeper Security.

Tiquet said this could let an attacker perform a variety of actions on a target system, such as install malware or steal information. He said Windows and Android Chrome users (the bug also affects the Android version of Chrome) should ensure that they install the latest updates to protect themselves.

“Web browsers are essential applications that nearly all cloud-based services have in common and are therefore high-priority targets - compromise of a web browser could be leveraged to compromise any cloud-based service accessed by that browser,” Tiquet noted. ”Ensuring that web browsers are patched is a user or customer-organization responsibility. Web browsers, if not maintained and patched, can be a weak link in the security of any cloud-based service.”

Client web-browsers should be particularly concerning to cloud-services in this case because they are largely outside of the security controls of the cloud-service provider, he added.

Mike Parkin, senior technical engineer at Vulcan Cyber, said browser vulnerabilities have become problematic for cloud applications that depend on a web interface.

“Especially one as widely used as Chrome, it’s even worse when there are known exploits in the wild that leverage the vulnerability,” Parkin said. “Fortunately, Google has already developed patches for this vulnerability on both desktop and mobile platforms and will have them rolled out quickly.”

Related

LockBit-leaked DC city agency data from third party

Washington, D.C.'s Department of Insurance, Securities and Banking has disclosed that 800GB of data claimed to have been stolen by the LockBit ransomware operation was obtained from an attack against third-party software provider Tyler Technologies following the ransomware gang's threats to expose 1GB of the exfiltrated data to coerce the agency into providing the demanded ransom, reports The Record, a news site by cybersecurity firm Recorded Future.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.