On Friday, Google directed emergency fixes to inscribe a security vulnerability in the Chrome web browser that is being proactively exploited in the wild.
The zero-day bug fixed (CVE-2022-3075) is a high-severity vulnerability caused by inadequate data validation in Mojo, a collection of run-through libraries that facilitates message passing across arbitrary inter- and intra-process boundaries.
On August 30, 2022, an anonymous researcher was credited with reporting the high-severity flaw on August 30, 2022.
However, Google explains that this security issue was found by a security researcher that chose to report it incognito. Additionally, the browser vendor says the zero-day was played in the wild; it is yet to share technical information or details regarding these incidents.
Google added, “Access to bug details and links may be restricted until a majority of users are updated with a fix. “Further, “We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on but haven’t yet fixed,” Google said.
Although, by procrastinating the release of more information on these attacks, Google is likely targetting to give Chrome users enough time to update and to nip in bud exploitation attempts until more hackers create their exploits to deploy in attacks.
Sixth Chrome zero-day fixed in 2022
The newest update makes it the sixth zero-day vulnerability in Chrome that Google has resolved since the start of the year.
The previous five zero-day vulnerabilities found and patched in 2022 are:
- CVE-2022-0609 – Use-after-free in Animation- February 14
- CVE-2022-1096 – Type confusion in V8- March 25
- CVE-2022-1364 – Type confusion in V8- April 14
- CVE-2022-2294 – Heap buffer overflow in WebRTC- July 4
- CVE-2022-2856 – Insufficient validation of suspicious input in Intents- August 17
As the Google Threat Analysis Group (TAG) exposed in February, that CVE-2022-0609 was exploited by North Korean-backed state hackers weeks before the February patch. Furthermore, the initial signs of exploitation were found in early January.
Although, the bug was misapplying in campaigns pushing malware via phishing emails using fake job tempt and compromised websites hosting hidden iframes serving exploit kits.
In addition, the zero-day bug patched today is also known to have been exploited by attackers in the wild; upgrading the Google Chrome web browser as soon as possible is strongly recommended.
Meanwhile, users are recommended to upgrade to version 105.0.5195.102 for Windows, macOS, and Linux to mitigate potential threats.
Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes when they become available.