Google releases emergency security update for Chrome users after second 0-day of 2022 discovered

Google has released an urgent update for a 0-day vulnerability found on March 23 affecting Chrome.

Google gave CVE-2022-1096 a high severity rating and said an exploit for the vulnerability exists in the wild. Google patched the bug for Windows, Mac, and Linux operating systems users in Chrome 99.0.4844.84.

Microsoft also released a warning about the issue and patched it for Edge users. Little information is available about the issue but experts said it is tied to V8, Google’s open source JavaScript engine.

The vulnerability was submitted anonymously, according to Google.

Bugcrowd CTO Casey Ellis said the first thing that stood out about the update is that it only fixes a single issue.

“This is pretty unusual for Google – they usually fix multiple issues in these types of releases – which suggests that they are quite concerned and very motivated to see fixes against CVE-2022-1096 applied across their user-base ASAP,” Ellis said.

“The second thing is the speed of the patch being rolled out. The vulnerability was only reported on the 23rd of March, and while Google’s Chrome team tends to be fairly prompt in developing, testing, and rolling patches, the idea of a patch for software deployed as widely as Chrome in 48 hours is something I continue to be impressed by.”

Michael Freeman, CTO of Cyber Threat Cognitive Intel (CTCI), said the vulnerability is a “type confusion” in the V8 JavaScript engine exploit, explaining that V8 is Chrome’s component that handles processing JavaScript code.

A type confusion refers to coding bugs during which an app initializes data execution operations using the input of a specific “type” but is tricked into processing the incorrect input as a different “type,” he said.

“This leads to logical errors in the application’s memory, allowing an attacker to run unrestricted malicious codes inside an application.

“CTCI identified exploitation of this vulnerability on 03/20/2022 but could not match it to any known CVEs. Additional intelligence was found during the attack analysis on 3/25/2022, where we identified a phishing scam against a honey client that is used to identify client-side attacks on users within the crypto space. The initial vector was a Discord channel.”

This is the second 0-day in Chrome that Google has announced this year. Just last week the tech giant said North Korean hackers had exploited CVE-2022-0609 – which was patched in a February release – during two separate hacking campaigns.

Google Threat Analysis Group’s Adam Weidemann explained that on February 10, the company discovered two different North Korean campaigns – which they attributed to Operation Dream Job and Operation AppleJeus – exploiting the vulnerability.