Google Releases Patch for Chrome Browser High Severity Zero-Day on Windows and Android


Image: 10,000 hours/GETTY

Google has released an update for Chrome 103 for Windows desktops that fixes a bug in the implementation of WebRTC that it warns is already under attack.

The issue that Chrome update 103.0.5060.114 for Windows fixes is a “heap buffer overflow in WebRTC,” which refers to when the buffer allocated in the heap portion of memory can be nefariously overwritten.

WebRTC is the open web standard for building real-time communication (RTC) video and voice applications. It is activated by JavaScript in the browser and the standard is supported by all major browser providers.

SEE: These hackers distribute ransomware as a distraction – to hide their cyber espionage

Google hasn’t offered any details about the bug, other than that it was assigned the identifier CVE-2022-2294, it has a “high” severity rating, and that Jan Vojtesek from the Avast Threat Intelligence team reported it to Google on July 1.

However, it has acknowledged that there is an exploit for it that is circulating in the public domain.

“Google is aware that an exploit for CVE-2022-2294 exists in the wild,” reads a blog post announcing the stable Chrome release for desktop.

Google, meanwhile, has also released a fix for the same WebRTC error in Chrome for Android.

MITER says in its post on heap-based buffer overflows: “Heap-based overflows can be used to override function pointers that may live in memory and point to the attacker’s code. Even in applications that don’t use function pointers explicitly, the runtime usually leaves many in memory. For example, object methods in C++ are generally implemented using function pointers. Even in C programs, there is often a global offset table used by the underlying runtime.

Google says it won’t reveal details about bugs until the majority of users have been updated with a fix. It can also retain limitations when the bug is present in a third-party library that other projects similarly depend on but have not yet fixed.

The update also fixes two other serious bugs. CVE-2022-2295 is a type confusion in Chrome’s V8 JavaScrip engine, while CVE-2022-2296 is a “use after free” memory issue in Chrome OS Shell.

SEE: Google: Half of zero-day exploits are related to bad software fixes

As of June 15, Google’s security project Google Project Zero (GPZ) had counted 18 0 days exploited in the wild that year. Two of the 18 0 days affected Chrome.

GPZ researcher Maddie Stone said at least half of the 0 days GOZ has experienced since early 2022 “could have been prevented with more extensive patching and regression testing.”

Many of the 0 days in the first half of 2022 were just variants of previously patched bugs in Microsoft Windows, Apple iOS and WebKit, and Google Chrome. As she noted, the root cause issue was not fixed, allowing attackers to revisit the original bug in a different way.

The problem with incomplete patches was that it was a wasted opportunity to “make 0-day hard” for attackers.

“The goal is to force attackers to start over every time we discover one of their exploits: they are forced to discover a whole new vulnerability, they have to invest time in learning and analyzing a new attack surface, they must develop a brand new method of exploitation. To do this effectively, we need correct and comprehensive corrections,” she said.

Leave a Comment

%d bloggers like this: