An inadequate input verification vulnerability, one among the 11 that were fixed in this week’s update, could potentially permit random code execution and is presently being actively exploited.
Google has effectively addressed the fifth zero-day vulnerability found actively being leveraged in Chrome this year. This fix is part of a series of solutions included in a stable channel update that was rolled out on Wednesday.
The glitch, identified as CVE-2022-2856 and ranked high on the Universal Vulnerability Grading System (UVGS), is linked to “inadequate verification of suspicious input in Intents”, as per the alert issued by Google.
Google has acknowledged the efforts of Ashley Shen and Christian Resell from its Google Threat Analysis Group (TAG) for identifying a zero-day vulnerability on July 19th. This flaw could potentially enable arbitrary code execution. In addition, the announcement also revealed fixes for 10 other Chrome-related problems.
According to Branch, a firm providing a range of linking solutions for mobile apps, intents have taken over the role previously played by URI schemes in the Chrome browser on Android devices. Intents represent a profound linking feature that has superseded the old process.
“Rather than allocating window.location or an iframe.src to the URI scheme, in Chrome, coders are required to utilize their intent string, as outlined in this document,” stated the firm on its online platform. According to the post, Intent introduces “additional complexity,” but it “effortlessly manages the scenario where the mobile application is not installed” within connections.
According to the Common Weakness Enumeration site by MITRE, inadequate validation pertains to input validation, a common method used to scrutinize possibly hazardous inputs. This is to confirm that they pose no risk when being processed within the code or during interaction with other elements.
If a software fails to accurately check its inputs, it provides a loophole for hackers to manipulate the inputs in unexpected ways. As per a website post, this could cause segments of the system to receive unanticipated inputs, possibly changing the system’s control flow, allowing unwarranted control over a resource, or even executing random code.
Defending Against Cyber Attacks
In usual fashion, Google refrained from revealing explicit information about the bug until a comprehensive patch was widely applied. This approach aims to prevent threat actors from exploiting the bug further. One cybersecurity expert commended this tactic as being prudent.
“Revealing information about a presently exploited zero-day weakness exactly when a fix is released might lead to serious repercussions. This is because it requires a while to apply security updates to susceptible systems and attackers are eagerly waiting to take advantage of such defects,” noted Satnam Narang, a senior research engineer at cybersecurity company Tenable, in an email to Threatpost.
Withholding information can also be a sensible strategy, considering that other Linux distributions and browsers, like Microsoft Edge, incorporate code derived from Google’s Chromium Project. If there’s a release of an exploit for a vulnerability, all of these could potentially be impacted, he mentioned.
“Having that buffer is incredibly beneficial for defenders,” Narang emphasized.
Most of the solutions in the update are aimed at addressing high to medium risk vulnerabilities. However, Google has also rectified a significant flaw identified as CVE-2022-2852. This was a use-after-free problem in FedCM, flagged by Sergei Glazunov from Google Project Zero on August 8th. FedCM, an abbreviation for Federated Credential Management API, serves a specific purpose in the management of federated identity processes online, as per Google’s explanation.
Fifth Chrome Zero-Day Fix Issued to Date
The patch for the zero-day vulnerability represents the fifth Chrome issue that Google has actively resolved this year.
In the month of July, the organization rectified a heap buffer overflow defect, identified as CVE-2022-2294, that was being actively exploited in WebRTC. WebRTC is the mechanism that powers Chrome’s instant communication feature. Prior to that, in May, they addressed another distinct buffer overflow defect, also labeled as CVE-2022-2294. This flaw, which was under active exploitation, was promptly fixed with a patch.
In February, a solution was found for the year’s first Chrome zero-day vulnerabilities, a use-after-free defect in Chrome’s Animation component, identified as CVE-2022-0609, which was already being targeted. It later came to light that North Korean cybercriminals had been taking advantage of this vulnerability for several weeks prior to its detection and the implementation of a fix.