Elain Brown Tech 03.28.2022 00:Mar AM EDT

Google Chrome Security Update: CVE-2022-1096 a High-Severity Zero-Day Exploit

Google Chrome security update has released an emergency fix for the CVE-2022-1096 vulnerability exploit.

An anonymous cybersecurity researcher previously reported a zero-day exploitation bug in Google, the CVE-2022-1096. As a result of the high-severity zero-day bug that has been exploited in the wild, Google has released Chrome 99.0.4844.84 for users of Windows, Mac, and Linux operating systems to patch the bug detected.

According to Google, "The Stable channel has been updated to 99.0.4844.84 for Windows, Mac and Linux which will roll out over the coming days/weeks."

In the meantime, the 99.0.4844.84 version is already rolling out worldwide in the Stable Desktop channel. Google added that it estimates it will only be a matter of weeks before the new version reaches the entire user base.

The emergency update to Chrome version 99.0.4844.84 is notable for the fact that it only addresses a single security issue, which is exceedingly unusual for Google. Furthermore, it is even more important to underline how severe this situation is.

Google's First Chrome Exploit of 2022: CVE-2022-0609

Google stated that the zero-day bug fixed on Friday, March 25, tracked as CVE-2022-1096 is a high-severity Type Confusion in the Chrome V8 JavaScript engine.

A Type Confusion in V8 JavaScript engine exploit has been identified as a vulnerability that exists in the field and is being actively exploited. V8 is a component of Chrome that is in charge of parsing JavaScript code and other scripts.

During data execution operations, type confusion refers to coding flaws in which an application initializes data execution processes with the input of a given "type," but is deceived into considering the input as a different "type." In the application's memory, this results in logical flaws which may allow an attacker to execute unconstrained malicious code within the application.

As reported by Bleeping Computer, type confusion flaws usually cause browsers to crash after they are exploited by reading or writing memory outside of buffer bounds; threat attackers can still use them to run arbitrary code.

In the latest Chrome Release, Google notes that the details about this latest bug will be restricted for the time being until the majority of the users have installed the patch for the vulnerability. Google also added, "We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed."

CVE-2022-0609: North Korea's Exploit

The CVE-2022-1096 exploit is the second vulnerability reported in Chrome.

CVE-2022-0609 is the first exploit Google has tracked since the beginning of the year as early as Jan. 4, 2022. Google Threat Analysis Group (TAG) detected the state hackers supported by North Korea exploited the CVE-2022-0609 zero-day vulnerability weeks before the February patch was released.

The first zero-day exploit was used by two different threat actors that were backed by the North Korean government to spread malware. These threat actors used phishing emails with fake job offers and websites that had been hacked to hide iframes that served as an exploit kit.

Since this zero-day vulnerability has been reported to have been exploited by attackers in the wild, it is strongly suggested that everyone update to the latest Google Chrome version as soon as possible.