CISA adds Google zero-day to exploited vulnerabilities list
The Cybersecurity and Infrastructure Security Agency (CISA) added the latest Google Chrome zero-day to its catalog of exploited vulnerabilities on Monday evening, ordering federal civilian agencies to patch the bug by December 26.
Google’s Srinivas Sista announced the vulnerability – CVE-2022-4262 – on Friday, giving it a high severity rating.
Google noted that it was reported by Clement Lecigne of Google’s Threat Analysis Group on November 29 and that an exploit for the bug existed in the wild.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed,” Sista wrote.
CISA added that specific impacts from exploitation “are not available at this time.”
Experts said the lack of information made it difficult to discern how serious the issue is and added that Chrome typically makes it easy for users to update their browsers thanks to a yellow or red “Update” tag next to the search bar.
Vulcan Cyber’s Mike Parkin said it appears that an attacker could compromise a victim when they simply visit a website that hosts malicious HTML code but said the update process “is straightforward.”
Mike Walters, vice president of vulnerability and threat research at Action1, added that the vulnerability affects all versions of the browser on all platforms.
“This fix addresses the ninth zero-day vulnerability in the browser this year. Moreover, it continues an odd pattern of Google fixing a zero-day vulnerability soon after a regular release,” Walters explained.
While Google makes it simple to update browsers, patching can be problematic at times because many people do not like rebooting their browsers – something that is typically required as part of an update, Walters said.
He suggested organizations automate patching for third-party apps, including browsers, and ensure their IT teams can force reboots remotely in a way that is comfortable to end users.