The year’s 1st Chrome zero-working day can lead to all kinds of misery, ranging from details corruption to the execution of arbitrary code on vulnerable programs.
Google on Monday issued 11 security fixes for its Chrome browser, such as a large-severity zero-working day bug which is actively remaining jumped on by attackers in the wild.
In a short update, Google explained the weakness, tracked as CVE-2022-0609, as a use-right after-no cost vulnerability in Chrome’s Animation component. This sort of flaw can guide to all sorts of misery, ranging from the corruption of legitimate knowledge to the execution of arbitrary code on vulnerable methods. Such flaws can also be utilised to escape the browser’s security sandbox.
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
“Google is informed of reports that an exploit for CVE-2022-0609 exists in the wild,” according to its security update.
To correct the Animation trouble, along with 10 other security issues, Google launched Chrome 98..4758.102 for Windows, Mac, and Linux, thanks to roll out above coming times or months.
Chrome customers can correct it straight absent, although, by heading into the Chrome menu > Support > About Google Chrome.
Specified that the zero day is less than active attack, updating Chrome must be carried out ASAP.
Credit score for the Animation zero working day goes to Adam Weidemann and Clément Lecigne, equally from Google’s Danger Investigation Group (TAG).
Monday’s update also plastered over 4 other higher-severity use-soon after-totally free flaws identified in Chrome’s Webstore API, File Manager, ANGLE and GPU. As perfectly, the business addressed a superior-severity integer overflow in Mojo, additionally a high-severity heap buffer overflow in Tab Teams. Last but not least, Google patched a medium-severity issue with inappropriate implementation in Gamepad API.
And So It Commences
This is Chrome’s 1st zero day of the calendar year, and much more are guaranteed to follow. But at least we’ve built it into the new-ish calendar year 10 much more times than we managed in 2021, when the initial bug to hit arrived on Feb. 4.
Last calendar year delivered a total of these 16 Chrome zero times:
- CVE-2021-21148 – Feb. 4, a vulnerability in its V8 open up-supply web engine.
- CVE-2021-21166 – March 2, a flaw in the Audio part of Google Chrome.
- CVE-2021-21193 – March 12, a use-following-absolutely free flaw in Blink, the browser engine for Chrome that was developed as component of the Chromium job.
- CVE-2021-21220 – April 13, a distant-code execution issue.
- CVE-2021-21224 – April 20, an issue with variety confusion in V8 in Google Chrome that could have authorized a remote attacker to execute arbitrary code inside of a sandbox by way of a crafted HTML webpage.
- CVE-2021-30551 –- June 9, a variety confusion bug in Google’s V8 open-source JavaScript and WebAssembly engine.
- CVE-2021-30554 – June 17, a use-soon after-no cost bug.
- CVE-2021-30563 – July 15, kind confusion in V8.
- CVE-2021-30632 and CVE-2021-30633 – Sept. 13, an out-of-bounds produce in V8 and a use-soon after-cost-free bug in the IndexedDB API, respectively.
- CVE-2021-37973 – Sept. 24, a use-after-cost-free flaw in Portals.
- CVE-2021-37976 and CVE-2021-37975 – Sept. 30, an information and facts leak in main and a use-following-absolutely free bug in V8, respectively.
- CVE-2021-38000 and CVE-2021-38003 – Oct. 28, an issue with Inadequate validation of untrusted enter in Intents in Google Chrome on Android, and an inappropriate implementation in V8 respectively.
- CVE-2021-4102 – Dec. 13, a use right after no cost in V8.
Sign up for Threatpost on Wed. Feb 23 at 2 PM ET for a Reside roundtable dialogue “The Solution to Holding Strategies,” sponsored by Keeper Security, focused on how to find and lock down your organization’s most sensitive info. Zane Bond with Keeper Security will join Threatpost’s Becky Bracken to offer concrete ways to secure your organization’s critical info in the cloud, in transit and in storage. Register NOW and you should Tweet us your thoughts ahead of time @Threatpost so they can be provided in the dialogue.
Some areas of this report are sourced from:
threatpost.com