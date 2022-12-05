



Google is deploying an urgent out-of-band patch for another zero-day vulnerability in its flagship browser Chrome. This vulnerability, tracked as CVE-2022-4262, affects all browser versions on all platforms.

More importantly, there is actually a type confusion bug in the Chrome V8 engine that this vulnerability exploits. This is why patching the vulnerability reported by Clement Lecigne of Google’s Threat Analysis Group on his November 29th should be a priority.

Like the other three types of confusion vulnerabilities discovered in Chrome in 2022, this vulnerability also threatens systems with vulnerable applications through out-of-bounds system memory access by threat actors.

Details of the vulnerability and exploit have not yet been made public, but the Type Confusion in the V8 vulnerability is related to the browser’s JavaScript engine, said Mike Walters, VP of Vulnerability and Threat Research at Action1. told Spiceworks.

This vulnerability makes remote code execution very likely. This means an attacker could run a script or malware her payload on the victim’s device.

The Center for Internet Security (CIS) noted that successful exploitation of CVE-2022-4262 could allow an attacker to execute arbitrary code in the context of the logged-on user. Hackers can install programs, view, change, or delete data, or create new accounts with full user rights.

Attackers most often exploit such vulnerabilities when users visit malicious sites. It then steals data from affected devices, creates botnets to perform distributed denial of service (DDoS) attacks, mines cryptocurrencies, and sends spam.

CVE-2022-4262 is the ninth zero-day vulnerability discovered and patched in 2022. This is also his fourth vulnerability in the V8 engine, and is used by most Chromium-based web browsers, including Brave, Opera, and Vivaldi, in addition to Chrome. and Microsoft Edge.

Read more: Google accuses Spanish security firm of developing exploit tools for Chrome and Microsoft Defender

Here are all nine of Chrome’s zero-day bugs.

Vulnerability

Type Resides In CVSS Score Month of Patch Release CVE-2022-0609 Use-after-free Animation 8.8

March 2022

CVE-2022-1096

Model confusion V8 engine 8.8 March 2022 CVE-2022-1364 Model confusion V8 engine 8.8

April 2022

CVE-2022-2294

Heap buffer overflow WebRTC 8.8 July 2022 CVE-2022-2856 Insufficient validation of untrusted input intents 6.5

August 2022

CVE-2022-3075

Poor data validation Mojo 9.6 September 2022 CVE-2022-3723 type confusion V8 engine 8.8

October 2022

CVE-2022-4135

Heap Buffer Overflow Chrome 9.6 GPU Component November 2022 CVE-2022-4262 Type Confusion V8 Engine NA

December 2022

In a blog post, CIS wrote that the risk from CVE-2022-4262 is high for large, medium, and small government agencies and businesses, and low for individuals/home users.

Google won’t release details about the vulnerability until most users’ browsers are updated. The severity of this vulnerability cannot be overemphasized. Therefore, we recommend updating your Chrome browser as soon as possible.

To update Chrome to version 108.0.5359.94, click the three vertical ellipses in the upper right corner.[設定]>[Chrome について], your browser will automatically check for updates. The application prompts the user to restart Chrome after the update is installed.

But be aware that patching your browser can cause problems. Because people don’t like browser restarts. This is often required as part of an update. So the organization’s best his practice is to automate the patching of third-party apps, including browsers, and allow IT teams to remotely force restarts in a way that is comfortable for end-his users, advises Walters.

Let us know if you enjoyed reading this news on LinkedIn, Twitter, or Facebook. I look forward to hearing from you.

Image Source: Shutterstock

Vulnerability details

