Home / About / Threat Intelligence / Google Chrome zero-day exploit

Overview

On 19th July 2022, Google released a security update for the Chrome browser that addressed 11 vulnerabilities, including a zero-day flaw that is being exploited in the wild. This update included the following additional fixes:

CVE-2022-2852: Use after free in FedCM. Reported by Sergei Glazunov of Google Project Zero on 2nd August 2022.

CVE-2022-2854: Use after free in SwiftShader. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 18th June 2022.

CVE-2022-2855: Use after free in ANGLE. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 16th July 2022.

CVE-2022-2857: Use after free in Blink. Reported by Anonymous on 21st June 2022.

CVE-2022-2858: Use after free in Sign-In Flow. Reported by raven at KunLun lab on 5th July 2022.

CVE-2022-2853: Heap buffer overflow in Downloads. Reported by Sergei Glazunov of Google Project Zero on 4th August 2022.

CVE-2022-2856: Insufficient validation of untrusted input in Intents. Reported by Ashley Shen and Christian Resell of Google Threat Analysis Group on 19th July 2022.

CVE-2022-2859: Use after free in Chrome OS Shell. Reported by Nan Wang (@eternalsakura13) and Guang Gong of 360 Alpha Lab on 22nd June 2022.

CVE-2022-2860: Insufficient policy enforcement in Cookies. Reported by Axel Chong on 18th July 2022.

CVE-2022-2861: Inappropriate implementation in Extensions API. Reported by Rong Jian of VRI on 21st July 2022.

The vulnerability is being tracked as CVE-2022-2856. Google has described this as a high severity vulnerability that has been caused as a result of “insufficient validation of untrusted input in intents”. This is an element within the Google Chrome suite that enables the launching of applications and web services directly from a web page.

Impact

The aforementioned input validation in the software can potentially serve as a pathway to overriding protections or exceeding the scope of the intended functionality of the Google Chrome browser, which could theoretically lead to successful exploitation via the following attack vectors:

  • Buffer Overflow
  • Directory Traversal
  • SQL Injection
  • Cross-Site Scripting (XSS)
  • Null Byte Injection

Vulnerability Detection

Any version of the Google Chrome browser prior to 104.0.5112.101 is susceptible to this vulnerability. The Stable channel has been updated to 104.0.5112.101 for MacOS and Linux, respectively. With regards to Windows, this correlates to 104.0.5112.102/101.

Affected Products

Any version of the Google Chrome browser prior to 104.0.5112.101 is susceptible to this vulnerability. The Stable channel has been updated to 104.0.5112.101 for MacOS and Linux, respectively. With regards to Windows, this correlates to 104.0.5112.102/101.

Containment, Mitigations & Remediations

To prevent the successful exploit of this vulnerability, the Google Chrome browser must be updated to version 104.0.5112.101 or later. This can be achieved by performing the following actions:

  1. Select the “settings” tab within the Google Chrome browser
  2. Select “About Chrome”
  3. Allow the browser’s internal system to scan for relevant updates
  4. Following the completion of the download, restart the browser to apply the security update.

There’s a separate release bulletin for Chrome for iOS, which goes to version 104.0.5112.99, but no bulletin yet, at the time of writing, that mentions Chrome for Android.

Indicators of Compromise

Due to security practices, Google will not disclose the full details of the vulnerability until the majority of users update to the latest version of the browser.

Threat Landscape

Goole Chrome possesses approximately 70% of the browser market share. Threat actors generally utilise a combination of probability and asset value to decide which attack surfaces to spend their time on. As a result, the Google Chrome browser becomes a prime target. While browsers may not run on systems that represent the highest value in terms of direct data exfiltration, the probability of exploiting an unpatched version of the Google Chrome browser is relatively high. Escaping the browser provides a potential threat actor with initial access, which can lead to privilege escalation, and pivoting deeper into a network or associated cloud resources.

Mitre Methodologies

TA0001 – Initial Access

TA0004 – Privilege Escalation

TA0008 – Lateral Movement

Further Information

Zero-day definition

Google Chrome Release Notes

Google Chrome Vulnerability Detection

Google Chrome Release Notes

Sophos Security Blog for Chrome Zero-Day