• Chris Bratton - Tech Journalist

Google Chrome web browser vulnerability issue finds emergency updates

The current version of Google Chrome runs at 100.0.4896.127 for Windows, Linux and Mac, which was under pending update. The stable channel update was required as the vulnerability was found on one of the most popular web browsers. The flaw was already exploited in the wild and fixed in the latest version.

Almost 3 billion users have Google Chrome installed in their system and other chromium-based browsers such as Windows native Edge and Brave. Even though different variants are underused, being one of the popular ones has its drawbacks. It is an easy target for vulnerability finders and threat actors. In 2022, Google had to push three emergency updates to defend against vulnerabilities.

At Tech News Hub, we talked about zero-day vulnerabilities and different types of flaws in software. But this one is more devastating as it is an everyday use tool. The CVE-2022-1364 is a high priority zero-day bug. Attackers keep pushing every thread to use to their advantage, and it was another one on their list.

The flaw utilises out of bound memory access similar to something C and C++ programming languages have in their vulnerability list. When attackers use CVE-2022-1364 vulnerability for typical users, it may not make sense, but the bug allocates memory like any other program. Memory selection occurs under threat actors' choices and can run for a certain period. Much data can get damaged during this period as browser crashes and logical errors are notorious for doing so.

Alphabet Inc's product Google was already aware of the CVE-2022-1364 issue as "it exists in the wild." Further information was not disclosed about the bug. Officials said they did not release the brief earlier as the bug needed a fix first. Chrome received the 100.0.4896.127 update across Mac, Linux and Windows before official statements made public attention. Google officials mentioned that if there are further flaws similar to this, that fix will come instantly but "will retain restrictions if the bug exists in a third-party library that other projects similarly depend on."

Security researchers reported the bug as "CVE-2022-1364: Type Confusion in V8. Reported by Clément Lecigne of Google's Threat Analysis Group on 2022-04-13." Threat actors are constantly exploiting the chromium V8 JavaScript engine. A similar vulnerability traced as CVE-2022-1096 was also a bug that made developers work hard for a fix.

Google researchers said the bug was exploited in the wild and was reported as early as January. Threat Analysis Group (TAG) posted that the group discovered two distinct North Korean government-backed attacker groups on a Google blog. They were exploiting codes remotely. One of them was CVE-2022-0609.

The Google Chrome security team thanked the researchers behind the successful execution update in the ending remark. A wide range of fixes are now available for the bug and users using a backdated version; if you did not receive the automatic update, please consider doing so manually from the settings option.

In the TAG report, Google mentioned that North Korean government-backed threat actor groups launched multiple campaigns against US-based organisations. They span across media, IT, crypto and fintech industries. The report also mentions the involvement of other countries that were targeted.

However, many users may not know this, but the Chrome browser they use to visit websites is the underlying software, which contains 6.7 million lines of code (upper estimate). This scale is genuinely massive, and quite hard to find vulnerabilities fixes as early as possible. For the same reason, developers collect data from users, such as user logs and bug reports. Even though they are stored so that no recognisable user information is present, the emergency update was issued to billions of users, and those who haven't updated should do it promptly.