While people were celebrating the Fourth of July holiday in the United States, Google quietly rolled out a stable channel update for Chrome to patch an actively exploited zero-day vulnerability, the fourth such flaw the vendor has had to patch in its browser product so far this year.
Chrome 103 (103.0.5060.71) for Android and Version 103.0.5060.114 for Windows and Mac, outlined in separate blog posts published Monday, fix a heap buffer overflow flaw in WebRTC, the engine that gives the browser its real-time communications capability.
The vulnerability, tracked as CVE-2022-2294 and reported by Jan Vojtesek from the Avast Threat Intelligence team on July 1, is described as a buffer overflow, “where the buffer that can be overwritten is allocated in the heap portion of memory,” according to the vulnerability’s listing on the Common Weakness Enumeration (CWE) website.
As per usual, Google did not reveal specific details about the bug, as it generally waits until most have updated to the patched version of the affected product. Indeed, updating is strongly recommended, as exploits for the vulnerability already exist in the wild, Google said.
Moreover, with scant details revealed about the flaw—a habit of Google’s that many security researchers find frustrating—at this point an update is really only way to defend against attacks exploiting the flaw. Fortunately, Google Chrome updates are pushed out without user intervention, so most users will be protected once patches are available.
Buffer overflows generally lead to crashes or other attacks that make the affected program unavailable including putting the program into an infinite loop, according to the CWE listing. Attackers can take advantage of the situation by using the crash to execute arbitrary code typically outside of the scope of the program’s security policy.
“Besides important user data, heap-based overflows can be used to overwrite function pointers that may be living in memory, pointing it to the attacker’s code,” according to the listing. “Even in applications that do not explicitly use function pointers, the run-time will usually leave many in memory.”
Other Fixes
In addition to fixing the zero-day buffer overflow flaw, the Chrome releases also patch a type confusion flaw in the V8 JavaScript engine tracked as CVE-2022-2295 and reported June 16 by researchers “avaue” and “Buff3tts” at S.S.L., according to the post.
This is the third such flaw in the open-source engine used by Chrome and Chromium-based web browsers patched this year alone. In March a separate type-confusion issue in the V8 JavaScript engine tracked as CVE-2022-1096 and under active attack spurred a hasty patch from Google.
Then in April, the company patched CVE-2022-1364, another type confusion flaw affecting Chrome’s use of V8 on which attackers already had pounced.
Another flaw patched in Monday’s Chrome update is a use-after-free flaw in Chrome OS Shell reported by Khalil Zhani on May 19 and tracked as CVE-2022-2296, according to Google. All of the flaws patched in this week’s update received a rating of high. The updates also includes several fixes from internal audits, fuzzing and other initiatives, Google said.
Prior to patching the Chrome V8 JavaScript engine flaws in March and April, Google in February already had patched a zero-day use-after-free flaw in Chrome’s Animation component tracked as CVE-2022-0609 that was under active attack.