Google on Monday released a patch for CVE-2022-2294, a high-severity zero-day vulnerability that was found in the wild, the fourth such Chrome zero-day this year.
The patch was made in the following Chrome update: 103.0.5060.114 for Windows, described as a heap buffer overflow in WebRTC.
Google said Jan Vojtesek, a researcher from the Avast Threat Intelligence team, has been credited for reporting and discovering the vulnerability on July 1, 2022.
This new CVE is a serious vulnerability that could lead to arbitrary remote code execution by simply visiting a malicious website, said Patrick Tiquet, vice president, security and architecture at Keeper Security.
Tiquet said this could let an attacker perform a variety of actions on a target system, such as install malware or steal information. He said Windows and Android Chrome users (the bug also affects the Android version of Chrome) should ensure that they install the latest updates to protect themselves.
“Web browsers are essential applications that nearly all cloud-based services have in common and are therefore high-priority targets - compromise of a web browser could be leveraged to compromise any cloud-based service accessed by that browser,” Tiquet noted. ”Ensuring that web browsers are patched is a user or customer-organization responsibility. Web browsers, if not maintained and patched, can be a weak link in the security of any cloud-based service.”
Client web-browsers should be particularly concerning to cloud-services in this case because they are largely outside of the security controls of the cloud-service provider, he added.
Mike Parkin, senior technical engineer at Vulcan Cyber, said browser vulnerabilities have become problematic for cloud applications that depend on a web interface.
“Especially one as widely used as Chrome, it’s even worse when there are known exploits in the wild that leverage the vulnerability,” Parkin said. “Fortunately, Google has already developed patches for this vulnerability on both desktop and mobile platforms and will have them rolled out quickly.”