Google has patched a zero-day vulnerability in its Chrome browser, the eighth of its kind this year.
The vulnerability was caused by a “heap buffer overflow in GPU”, Google said. Such vulnerabilities can allow attackers to modify the data stored in the application’s heap, potentially altering what data the Chrome Browser outputs.
RELATED RESOURCE
Solve cyber resilience challenges with storage solutions
Fundamental capabilities of cyber-resilient IT infrastructure
The exploitation of buffer overflow flaws could also lead to general data corruption within the application, or the manipulation of the Chrome browser’s internal structures.
It has been assigned a severity rating of ‘high’ although a specific CVSSv3 score has not yet been released.
‘High’ severity ratings typically indicate a score in the range of 7.0-8.9 - the second-highest severity classification on the widely used metric.
Google assigned the vulnerability with a CVE for vulnerability tracking and management (CVE-2022-4135) and released the new stable channel version of Google Chrome on Thursday across Windows, macOS, and Linux.
Google said it will be keeping more detailed information on the vulnerability under wraps until more users have had time to install the update.
It will also refrain from releasing further details if the Google Chrome team find the issue to be present in a third-party library on which other applications depend, for example, at least until that library also releases a fix.
The vulnerability was discovered by Clement Lecigne, security engineer at Google’s Threat Analysis Group - its security team primarily devoted to countering government-backed hacking efforts - and Google made no indication that the vulnerability has been actively exploited in the wild.
CVE-2022-4135 marks the eighth zero-day vulnerability found in Google Chrome since the start of 2022 and the second zero-day caused by a heap buffer overflow.
Three of the eight zero-days affecting the world’s most popular browser have been caused by errors in Google’s proprietary and open-sourced JavaScript V8 engine.
Since other major browsers also run on Chromium, such as Microsoft Edge, Opera, Vivaldi, and others, these were also vulnerable because they too relied on Google’s V8 engine.
The full list of Google Chrome zero-day vulnerabilities found in 2022 can be found below:
-
Third time lucky? Microsoft finally begins roll-out of controversial Recall featureNews The Windows Recall feature has been plagued by setbacks and backlash from security professionals
-
The UK government wants quantum technology out of the lab and in the hands of enterprisesNews The UK government has unveiled plans to invest £121 million in quantum computing projects in an effort to drive real-world applications and adoption rates.
-
The threat prevention buyer's guideWhitepaper Find the best advanced and file-based threat protection solution for you
-
Supply chain as kill chainWhitepaper Security in the era Zero Trust
-
Microsoft under fire for “negligent” security practices in scathing critique by industry execNews Microsoft took more than 90 days to issue a partial fix for a critical Azure vulnerability, researchers found
-
Apple patches zero day linked to spyware campaignNews Kaspersky researchers were the first to report a zero day used in a sophisticated attack chain
-
MOVEit cyber attack: Cl0p sparks speculation that it’s lost control of hackNews The hackers return with their second major data-extortion attack of 2023, but may have bitten off more than they can chew
-
Microsoft says it knows who was behind cyber attacks on MOVEit TransferDozens of organizations may have already lost data to hackers exploiting the critical flaw
-
Trend Micro security predictions for 2023Whitepaper Prioritise cyber security strategies on capabilities rather than costs
-
Windows, macOS, and Tesla exploits debuted at Pwn2Own hacking contestNews Researchers took home more than $375,000 in winnings on the first day of the competition
