CNA explains: What is the latest bug in Google Chrome and how can it be exploited?

How can it be exploited?

Ms Wong said arbitrary code execution has been used in the past to steal data, run extortion schemes and even expose private text messages and search history.

“Additionally, some of the more serious bugs would allow an attacker to execute malicious code in the context of the user,” she said.

“The severity of the attack then depends on the privileges associated with the user – whether they have the power to install new programs, view, modify or delete data or create new user accounts .”

A hacker could also send a phishing email or attachment with an embedded link to a website that uses Intents, said Ms. Jennifer Cheng, product marketing manager, Asia Pacific and Japan at Proofpoint.

Then, if the person who receives this email clicks on the link to the website using a Chrome browser, the attacker can connect to the site using another malicious web application and expose the person to malicious content.

“Possible repercussions of exposure to malicious content could include being redirected to another malicious site, injection of malicious code (malware), theft of data or login credentials,” she added. .

Is the bug already exploited?

Google said two members of its Threat Analysis Group first reported CVE-2022-2856 on July 19 and it is aware of an existing exploit in the wild. This means that the company knows – possibly via Chrome telemetry – that the vulnerability has been exploited.

“They probably know the site that did this and may know the users who were attacked,” said Candid Wuest, vice president of cyber protection research at Acronis.

“Depending on the execution, the attack itself could be quite stealthy. Google has not revealed further details about the attacker or his targets at this time.”

CNA understands that CSA has not received any reports of users being hacked through this vulnerability.

Acronis co-founder and president of technology Stas Protassov said “it’s reasonable to assume” the vulnerability was exploited by state-backed hackers, pointing to the group’s involvement. Google Threat Analysis.

The group is focused on fighting high-resource attackers like government advanced persistent threat groups, he said, adding that Google typically discloses more details about vulnerabilities 90 days after reporting.

“So we will know more results in October, unless Google decides to do so sooner,” he said.

What will the security patch do?

Cheng said Google’s security patch will prevent attackers from exploiting the Intents feature to connect or inject malicious content into websites that support it.

“Most likely, the patch will update user input validation to block exploitation of this vulnerability,” said Kevin Reed, information security manager at Acronis.

Ms Cheng said those who choose not to install the patch “roll the dice” and expose themselves to malicious content and end up compromising.

Although Ms Wong agreed that those who do not update their browsers would in theory be at risk of such dangers, she said it was difficult to predict an exact outcome without all the details of the vulnerability.

How common is this vulnerability?

Years ago, web browser vulnerabilities were considered quite common and a favorite of hackers, Cheng said.

“Nowadays, that kind of zero-day is much less common,” she said, using a term to describe unfixed bugs discovered before developers became aware of them.

“We like to think that developers are now more security conscious in their development practices.”

Still, Ms Wong said it was “virtually impossible” to write flawless code because human error is inevitable.

“So the imperative for organizations is to identify these vulnerabilities as quickly as possible and act decisively,” she said.

Mr Wuest said it was “good” to note that CVE-2022-2856 is the fifth day zero that Google has patched in Chrome this year.

The vulnerability first reported in February was exploited by North Korean hackers in phishing campaigns, Bleeping Computer reported.

“Threats that ‘exist in the wild’ refer to threats that spread among devices owned by ordinary users, rather than on test systems,” Wong said.

“This is a critical threat, which poses a significant threat to real-world data security, when exploited by hackers.”

Comments are closed.