CISA adds Google zero-day to exploited vulnerabilities list

The Cybersecurity and Infrastructure Security Agency (CISA) added the latest Google Chrome zero-day to its catalog of exploited vulnerabilities on Monday evening, ordering federal civilian agencies to patch the bug by December 26.

Google’s Srinivas Sista announced the vulnerability – CVE-2022-4262 – on Friday, giving it a high severity rating. 

Google noted that it was reported by Clement Lecigne of Google's Threat Analysis Group on November 29 and that an exploit for the bug existed in the wild.

The tech giant offered few details about the issue, only writing that it was a type confusion in V8 – meaning Google V8's javascript engine.

“Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed,” Sista wrote. 

CISA added that specific impacts from exploitation “are not available at this time.”

Experts said the lack of information made it difficult to discern how serious the issue is and added that Chrome typically makes it easy for users to update their browsers thanks to a yellow or red “Update” tag next to the search bar. 

Vulcan Cyber’s Mike Parkin said it appears that an attacker could compromise a victim when they simply visit a website that hosts malicious HTML code but said the update process “is straightforward.”

Mike Walters, vice president of vulnerability and threat research at Action1, added that the vulnerability affects all versions of the browser on all platforms. 

“This fix addresses the ninth zero-day vulnerability in the browser this year. Moreover, it continues an odd pattern of Google fixing a zero-day vulnerability soon after a regular release,” Walters explained.

“‘Type Confusion in V8’ vulnerabilities are related to the browser’s JavaScript engine. Accordingly, it is very likely that this vulnerability allows remote code execution, which means that a threat actor could cause any script or malware payload to be executed on the victims’ device.” 

While Google makes it simple to update browsers, patching can be problematic at times because many people do not like rebooting their browsers – something that is typically required as part of an update, Walters said. 

He suggested organizations automate patching for third-party apps, including browsers, and ensure their IT teams can force reboots remotely in a way that is comfortable to end users.

Google announced the eighth exploited zero-day just two weeks ago on November 25, with the others coming in February, March, April, July, August and October.