August 20 Update below. This post was originally published on August 18
If you are a Chrome browser user, be that in Windows, Mac, or Linux flavor, Google has some bad news for you. Attackers are already exploiting a high-impact security vulnerability that could lead to them gaining control of a system resource or to arbitrary code execution. This is the fifth zero-day Google has had to deal with in 2022 so far.
What is the Google Chrome CVE-2022-2856 Zero-Day?
In an advisory posted August 16, Srinivas Sista from the Google Chrome team, confirms that a total of eleven security vulnerabilities, ranging from medium to critical impact, have been fixed in the latest Chrome update. One of these, CVE-2022-2856, is the zero-day in question. "Google is aware that an exploit for CVE-2022-2856 exists in the wild," Sista stated.
Not much detail is being made public about the zero-day vulnerability until a majority of users have had time to ensure the update is installed and activated.
However, Google does confirm that CVE-2022-2856 was reported by hackers from within the Google Threat Analysis Group, Ashley Shen and Christian Resell, on July 19. It is, the advisory states, an "insufficient validation of untrusted input in Intents."
Which will be as clear as mud for most users.
All I can add, at this point, in an attempt to clarify, is that the 'intents' mentioned are how Chrome processes user input. It is possible, although, again, I cannot confirm the precise technical details of CVE-2022-2856, that by creating a malicious input that prevents Chrome from validating it, potentially leading to arbitrary code execution.
What steps do you need to take to secure Google Chrome?
What I can say with complete confidence is that you should check your browser has updated to the latest Chrome version as soon as possible. For Mac and Linux users, this will be Chrome 104.0.5112.101, while for Windows users, it could be either 104.0.5112.101 or 104.0.5112.102, just for some additional unwanted confusion.
While Chrome should update automatically, it is recommended that you force the update check to be safe. You also need to perform one additional step before your browser will be secured against this zero-day and the other disclosed threats.
Relaunch your Chrome browser to activate the Google security update
Go to the About Google Chrome entry in the browser menu, which will force a check for any available update. Once that update has been downloaded and installed, a relaunch button will become available. After relaunching the browser, the update will activate and protect you from the fifth Google Chrome zero-day of the year.
As other browsers that are based around the Chromium engine will likely be impacted by the same vulnerabilities, expect updates for the likes of Brave, Edge and Opera to follow in due course.
August 20 Update:
CISA adds Chrome zero-day to Known Exploited Vulnerabilities Catalog
Although nearly all the mainstream media coverage, not just tech publications, has been about the recently patched Apple iOS and macOS zero-days, that doesn't mean the Google Chrome one suddenly becomes unimportant. The fact that the U.S. Cybersecurity & Infrastructure Security Agency (CISA) has added CVE-2022-2856 to the 'Known Exploited Vulnerabilities Catalog' is proof of that. This list of vulnerabilities that are known to be exploited by threat actors out there in the real world comes with a strong recommendation from CISA to apply available patches as soon as possible. Needless to say, but I will anyway, the two Apple vulnerabilities (CVE-2022-32893 and CVE-2022-32894) are also included in this latest CISA catalog update.
Browser security extends beyond the vulnerabilities issue
However, it's not just vulnerabilities, or even zero-day vulnerabilities, that the security-minded Google Chrome user needs to be aware of. At the start of August, I reported how a cybercrime group called SharpTongue, said to have connections to another group, Kimsuky, which CISA reports likely to be "tasked by the North Korean regime with a global intelligence gathering mission," was bypassing the need to collect credentials in order to spy on Gmail messages. The SHARPEXT attack could even read emails of users who had implemented two-factor authentication. It manages this by grabbing authentication cookies in what's known as an adversary-in-the-middle (AiTM) attack.
The SHARPEXT malware comes by way of, and here's the 'not just vulnerabilities' point, a rogue browser extension. As well as Chrome, the campaign was found to be targeting Edge (based around the same Chromium engine) and a little-known in the West client called Whale, which appears to be used in South Korea. New research from Kaspersky has shone a light on the whole browser extension security issue, and it's not just restricted to Chromium-based browsers.
Kaspersky research reveals extent of malicious browser extension problem
According to Kaspersky research, in the first six months of 2022 alone, some 1,311,557 users attempted to download malicious or unwanted extensions. That, dear reader, is an increase of 70% on the number affected similarly throughout the whole of 2021. While the delivery of unwanted advertising was the most common target of these browser extensions, that's not the whole story: extensions with a malware payload were the second most common. Indeed, between January 2020 and June 2022, Kaspersky researchers say some 2.6 million individual users were attacked by such malicious extensions.
Check your Chromium-based browser is up-to-date and patched
And finally, I mentioned in the original Chrome update article that other browsers would be issuing updates in due course. These appear to all now be in place. Refer to the images below to see the latest version numbers for Brave, Edge, and Opera.
Make sure your Brave browser is updated to version 104.0.5112.102 or later
Make sure your Edge browser is updated to version 104.0.1293.63 or later
Make sure your Opera browser is updated to version 90.0.4480.48 or later
