Google patches active exploitation of a zero-day vulnerability in Chrome in 2022.

It was the seventh zero-day vulnerability Google had patched this year, affecting its flagship Chrome web browser. The latest patch fixed an error regarding type confusion in the JavaScript-based V8 engine.

Security vulnerabilities in Chrome are being actively exploited; On Friday, Google said it expressed emergency fixes to address them. An issue with CVE-2022-3075 relates to insufficient data validation in Mojo, a collection of libraries that provides a platform-independent mechanism for inter-process communication (IPC). On 30 August 2022, an anonymous researcher announced high severity flaw.

Internet giant Google said, “They are aware of the reports that an exploit for CVE-2022-3075 dwell in the wild. To prevent additional threat actors from exploiting the vulnerability, we will not divulge too many details about the nature of the attacks.”

Discover Chrome’s zero-day vulnerabilities

The previous six zero-day vulnerabilities in Chrome that Google has set on are:

• CVE-2022-0609 – Use-after-free in Animation
• CVE-2022-1096 – Type confusion in V8
• CVE-2022-1364 – Type confusion in V8
• CVE-2022-2294 – Heap buffer overflow in WebRTC
• CVE-2022-2856 – Insufficient validation of untrusted input in Intents
• CVE-2022-3075– Insufficient Data Validation 

As per the Common Weakness Enumeration (CWE), type confusion is when any program attempts to access any system resource using an incompatible type. In other words, if a program defines a class for an object or variable and then accesses that same resource with a different kind, it might cause logical errors.

Mainly, applications are written in languages without memory protection, such as C and C++, allowing arbitrary code execution. The successful exploitation of type confusion vulnerabilities can permit threat actors to access off-limits system memory. V8 is written in C++.

Consequently, it is almost certain that merely viewing a booby-trapped website is potential trouble, as it could launch malware and rogue code on your system without any warnings or pop-ups- said one of the research scientists at Sophos.

Take a more dynamic approach with ESOF AppSec.

After Google’s admission, you need to see if you have these zero-day vulnerabilities in your IT stack’s web and app assets. We can help –  our ESOF AppSec discovers the most critical vulnerabilities and vulnerable assets across your web and mobile apps. And we can scan your web app source code for security and privacy issues.

In addition, when you combine automated inspections with human assessments and reviews you can ensure that source code security is enhanced by identifying security flaws and logical errors.

Some of ESOF AppSec’s features include:

• Cyber Risk Scores save you time because you don’t have to read detailed, lengthy reports. Using the risk score, you can improve the security posture of the entire network.
• With ESOF Scanners, tests are executed on Grey Boxes and Black Boxes, giving exact results, and eliminating many false positives.

Your Security, our Passion

Make your IT Stack safe with ESOF.

Download ESOF AppSec Datasheet for more information.