Monday, Mar 28, 2022
BY: Team Nuspire
Google Chrome experienced a zero-day attack (a zero-day attack is when a threat actor exploits a vulnerability before software developers can find a fix). The attack was reported to Google by an anonymous security researcher, and Google acknowledges that it is actively exploited in the wild.
What kind of zero-day attack was it?
This was a type-confusion attack. According to MITRE’s Common Weakness Enumeration (CWE), “When the program accesses the resource using an incompatible type, this could trigger logical errors because the resource does not have expected properties. In languages without memory safety, such as C and C++, type confusion can lead to out-of-bounds memory access.”
If the allocated memory buffer is smaller than the type that the code is attempting to access, that could lead to a crash and possibly code execution.
When did the zero-day attack occur?
We’re unclear on when the attack began, but it was discovered by the anonymous security researcher on March 23, 2022.
What is Google’s response?
Google released its updated version of Chrome, 99.0.4844.84, which is rolling out worldwide. Google estimates it will only be a matter of weeks before the rollout is complete. What’s important to note is that Google rarely address a single security issue in an update, which underscores the severity of the issue.
What is Nuspire doing?
Nuspire is aggressively patching any of its systems vulnerable to this zero-day attack.
What should I do?
Nuspire recommends you take the following actions:
- Users and organizations should update their instances of Google Chrome as soon as possible to 99.0.4844.84 for Windows, Mac and Linux to mitigate against CVE-2022-1096.
- Individual users can check their version and update Google Chrome by going to Options (three dots in the upper right-hand corner) -> Settings -> About Chrome. If there is an update available, it will download it and prompt you to restart your Chrome.