Google recently issued an important warning, stating that a new High-level Zero-Day vulnerability (CVE-2022-0609) has been discovered in all Chrome browsers and is being actively exploited by hackers.
Google also announced the discovery of six new high-level risks in the browser, which affect all operating systems including Windows, MacOS, Linux, and others.
What's interesting is that when the announcement was made, there were no hints about how or where the attacks were carried out, what the attackers were after, what the attackers got away with, what Indicators of Compromise (IoC) you could look for or how to assess your risk.
Other than the latest zero-day vulnerability, Google also listed several other new high-level security flaws in Chrome, including:
High - CVE-2022-0603: Use after free in File Manager. Reported by Chaoyuan Peng (@ret2happy) on 2022-01-22.
High - CVE-2022-0604: Heap buffer overflow in Tab Groups. Reported by Krace on 2021-11-24.
High - CVE-2022-0605: Use after free in Webstore API. Reported by Thomas Orlita on 2022-01-13.
High - CVE-2022-0606: Use after free in ANGLE. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2022-01-17.
High - CVE-2022-0607: Use after free in GPU. Reported by 0x74960 on 2021-09-17.
High - CVE-2022-0608: Integer overflow in Mojo. Reported by Sergei Glazunov of Google Project Zero on 2021-11-16.
High - CVE-2022-0609: Use after free in Animation. Reported by Adam Weidemann and Clément Lecigne of Google's Threat Analysis Group on 2022-02-10.
Medium - CVE-2022-0610: Inappropriate implementation in Gamepad API. Reported by Anonymous on 2022-01-08.
Forbes believes the zero-day vulnerability may very well be what’s known as the 'Use-After-Free' (UAF) hack, as attacks using UAF vulnerabilities continue to be by far the most popular and successful form of Chrome hack.
What is the UAF vulnerability? It's a vulnerability caused by the improper use of dynamic memory during programme execution. If a programme does not delete the pointer to a memory address after freeing it, an attacker can use the fault to hijack the programme.
Not only do UAF exploits account for five of the eight hacks reported here but they also increase the overall number of successful Chrome UAF attacks since the beginning of the year to 26. This accounts to be the first successful Chrome Zero-Day hack of 2022.
Why Does Browser Zero-Days Matter and What’s the Next Step?
According to Sophos, zero-days caused by memory mismanagement when a browser is rendering a website are always a source of concern.
That's because browser vulnerabilities that allow Remote Code Execution (RCE) can lead to so-called "drive-by downloads," in which simply visiting a booby-trapped web page can result in malware being installed on your computer or phone.
This type of infection is also known as a zero-click attack because the attackers don't have to persuade you (or your machine) to do anything other than reading their content – which is typically considered safe because it takes place solely within your browser window.
Google has released Chrome 98.0.4758.102 in response to these hacks. Google advises users to update their Chrome browser as soon as possible.
Go to Settings > Help > About Google Chrome to see if your browser has been updated. You're safe if your Chrome browser is listed as 98.0.4758.102 or above. If your browser's update isn't yet ready, keep checking again. This should be taken seriously as the zero-day attack is the most dangerous type of security exploit.
Furthermore, Chrome must be restarted after updating in order for the fixes to take effect. Chrome is now used by 3.2 billion people on desktop and mobile devices throughout the world, making it the most popular target for hackers. Those who fail to install the patch will become easy prey.