Google Chrome experienced a zero-day attack (a zero-day attack is when a threat actor exploits a vulnerability before software developers can find a fix). The attack was reported to Google by an anonymous security researcher, and Google acknowledges that it is actively exploited in the wild.
This was a type-confusion attack. According to MITRE’s Common Weakness Enumeration (CWE), “When the program accesses the resource using an incompatible type, this could trigger logical errors because the resource does not have expected properties. In languages without memory safety, such as C and C++, type confusion can lead to out-of-bounds memory access.”
If the allocated memory buffer is smaller than the type that the code is attempting to access, that could lead to a crash and possibly code execution.
We’re unclear on when the attack began, but it was discovered by the anonymous security researcher on March 23, 2022.
Google released its updated version of Chrome, 99.0.4844.84, which is rolling out worldwide. Google estimates it will only be a matter of weeks before the rollout is complete. What’s important to note is that Google rarely address a single security issue in an update, which underscores the severity of the issue.
Nuspire is aggressively patching any of its systems vulnerable to this zero-day attack.
Nuspire recommends you take the following actions: