First zero-day vulnerability of Google Chrome this year actively exploited in wild
THREAT LEVEL: Red.
For a detailed advisory, download the pdf file here
Google released a stable channel update for their Chrome browser that contains a zero-day vulnerability and is actively being exploited-in-wild. This is the first zero-day bug reported in Chrome browser this year.
A Use-After-Free (UAF) vulnerability which has been assigned CVE-2022-0609 affects the Animation component that may allow attackers to corrupt data, crash program or execute arbitrary code on computers running unpatched Chrome versions or escape the browser’s security sandbox. Successful exploitation of this issue may lead to data corruption, program crash or arbitrary code execution. In recent browser versions, a number of controls have been introduced that make exploitation of these use after free vulnerabilities much harder but despite this, they still seem to persist.
In addition to the zero-day bug, this update fixed seven other security vulnerabilities as mentioned in the table below. We recommend organizations to update to Chrome 98.0.4758.102 for Windows, Mac and Linux to avoid exploitation and mitigate any potential threats.
Potential MITRE ATT&CK TTPs are:
TA0040 – Impact
TA0001 – Initial Access
TA0002 – Execution
T1499- Endpoint Denial of Service
T1189- Drive-by Compromise
T1190- Exploit-public facing application
T1203- Exploitation for Client Execution
T1499.004- Endpoint Denial of Service: Application or System Exploitation
Vulnerability Details
Patch Link
https://www.google.com/intl/en/chrome/?standalone=1
References
https://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop_14.html
What’s new on HivePro
Get through updates and upcoming events, and more directly in your inbox