The zero-day vulnerability— dubbed CVE-2022-4262 — was Google’s ninth this year. Google is keeping hidden the update details for security reasons until most users have applied the fix.
Type-confusion bugs generally crash browsers, but cybercriminals can also exploit them to instigate code execution and denial-of-service attacks (DoS) with serious security ramifications.
Google has since updated the stable channel “to 108.0.5359.94 for Mac and Linux and 108.0.5359.94/.95 for Windows” and the extended stable channel “to 108.0.5359.94 for Windows and Mac,” adding that these will roll out over the coming days/weeks.
Google Chrome’s Zero-Day Vulnerability Problems Continue
Zero-day vulnerabilities in software become known only after they’re discovered. Once known, developers have ‘zero days’ to apply a fix. Sometimes, the vulnerability in the browsers isn’t detected for months, leaving networks operating the software exposed to cyber-attacks.
Cybercriminals first exploit the zero-day vulnerabilities “in the wild,” meaning they can’t capitalize on them immediately.
This recent vulnerability brings Google’s zero-day vulnerabilities tally to nine for this year (Google patched the previous eight promptly, as soon as it discovered them). The following are the dates for the previous vulnerabilities:
- CVE-2022-0609 — Feb.14
- CVE-2022-1096 — March 25
- CVE-2022-1364 — April 14
- CVE-2022-2294 — July 4
- CVE-2022-2856 — Aug.17
- CVE-2022-3075 — Sep. 2
- CVE-2022-3723 — Oct. 28
- CVE-2022-4135 — Nov. 25
While Google has released the update to address this specific vulnerability, it’s uncertain whether all companies will be able to apply the fix in time before cybercriminals exploit it.
Companies that are serious about their security, however, stay ahead of the curve and continually monitor their networks for vulnerabilities and apply patches whenever needed.
Companies Exposed to Zero-Day Vulnerabilities
In November, Apple, Firefox, VMware, Cisco, Citrix, and SAP issued major updates for security vulnerabilities. In the same month, Windows addressed 64 security issues, four of which were zero-day vulnerabilities. Mozilla fixed 19 security vulnerabilities, 8 of which were severe. And Apple addressed two, including the severe ones that it quickly fixed. But few security vulnerabilities can slip through the cracks undetected.
In February, a Google zero-day vulnerability allowed North Korean state-sponsored cybercriminals, Lazarus Group, to target media firms, IT companies, and fintech organizations for a month before TAG detected and patched it. During the exploit, cybercriminals spammed and spoofed “250 individuals working for 10 different news media outlets, domain registrars, webhosting providers, and software vendors.”
On another occasion, TAG found exploits in Mozilla, Chrome, and Windows Defender that it linked to a Spanish cybersecurity provider, Variston IT. TAG and Google’s Project Zero researchers pick up on many vulnerabilities that affect Google’s browsers and release updates that affect a wide variety of commercial enterprises.
Vulnerable Browsers and Business Network Security Concerns
The bug doesn’t just concern Chrome and Chromium (the browser). Since the vulnerability is in the source code — developed by the open-source project, Chromium — several other browsers that use the same code are at risk.
The other browsing platforms on Chromium include Opera, Yandex, Vivaldi, Brave, and Epic. Companies relying on browsers running Chromium’s source code will need to switch on automatic updates or download the latest versions for their browsers.
But doing so may only be a stopgap measure. Companies that rely on manual updates are just one negligent employee away from exposing their network. Plus, companies can’t always rely on individuals to apply the patches in time. Manually applying updates is labor-intensive and the chances of making an error are high.
For more robust network security, experts recommend solutions that offer automated patch management and scanning. These automated solutions scan the network and third-party software for missing patches and gaps in common operating systems, take out the guesswork out of patch management, and free up the workforce.
In addition to detecting and patching Google’s zero-day vulnerabilities, automated solutions also eliminate security concerns associated with third-party software vendors, browsers, and platforms.
Google has dodged the bullet for the ninth time this year but, for small to medium-sized businesses, worried about their network security, its update may inspire little reassurance. Besides, who’s to say that another one of these vulnerabilities will not crop up.