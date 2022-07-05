



According to Internet giants, a zero-day security vulnerability in Google Chrome for Android has actually been exploited.

This issue is a severe heap buffer overflow bug in WebRTC (tracked as CVE-2022-2294). WebRTC is an HTML5 specification that allows web pages to play real-time audio and video content in the browser.

“Google is aware that the CVE-2022-2294 exploit actually exists,” the company said in an advisory on this issue.

As always, Google keeps the technical details of the vulnerability close to the best until the majority of users refresh their browsers, but heap buffer overflows are generally a memory issue and can be exploited in various ways. It can lead to bad results. Possible results include device crashes, denial of service (DoS), remote code execution (RCE), and security service bypass.

Patrick Tiquet, Vice President of Security and Architecture at Keeper Security, investigated this issue and said the bug actually allowed RCE.

“CVE-2022-2294 is a serious vulnerability that could allow code to be executed remotely at any remote location by simply accessing a malicious website,” he says. “This could allow an attacker to take various actions against the target system, such as installing malware or stealing information. Windows and Android Chrome users have the latest updates to protect themselves. Must be installed. “

To address this flaw, Google released Chrome 103 (103.0.5060.71) for Android on Monday, stating that the update will be rolled out on Google Play “in the next few days.”

This update also fixes two other security bugs. The first is Google’s V8 open source JavaScript engine’s high-severity type of confusion bug (CVE-2022-2295), which earned $ 7,500 bug bounty for reporters avaue and Buff3tts over SSL. The other is an unspecified fix found internally. Type confusion issues can also lead to code execution, crashes, and logical work.

“Web browsers are a high-priority target because they are important applications that are common to almost all cloud-based services. They are cloud-based to take advantage of web browser breaches. It can compromise service. “

Fourth exploited Chrome Zero Day Bug in 2022

The flaw in WebRTC is Chrome’s fourth zero-day attack so far this year. In particular, in April Google released an already exploited type of confusion vulnerability (CVE-2022-1364) that affects the browser’s JavaScript and WebAssembly engines.

Another type of confusion issue for V8 (CVE-2022-1096) was patched in March. According to the Google Threat Analysis Group (TAG), the third was patched in February after being exploited by a highly persistent threat of a North Korean-backed nation (CVE-2022-0609).

“Browser vulnerabilities can be an issue because there are so many business and cloud applications that rely on web interfaces,” said Mike Parkin, senior technical engineer at Vulcan Cyber. “Especially as widely used as Chrome. It’s even worse if there are real exploits known to exploit this vulnerability. Fortunately, Google has this vulnerability on both desktop and mobile platforms. We have already developed a patch and will release it soon. “

