Google Fixes Ninth Zero-Day Vulnerability, Releases Browser Update

The image shows a black smartphone on a red notebook, displaying Google's logo on the screen.
Google releases update for its ninth zero-day vulnerability.
Source: Pexels

Google’s Threat Analysis Group (TAG) has released a patch for a highly severe type-confusion vulnerability found in Chromium’s V8 JavaScript engine that underlies the code in several other browsers in addition to Chrome. 

The zero-day vulnerability— dubbed CVE-2022-4262 — was Google’s ninth this year. Google is keeping hidden the update details for security reasons until most users have applied the fix.  

Type-confusion bugs generally crash browsers, but cybercriminals can also exploit them to instigate code execution and denial-of-service attacks (DoS) with serious security ramifications. 

Google has since updated the stable channel “to 108.0.5359.94 for Mac and Linux and 108.0.5359.94/.95 for Windows” and the extended stable channel “to 108.0.5359.94 for Windows and Mac,” adding that these will roll out over the coming days/weeks. 

Google Chrome’s Zero-Day Vulnerability Problems Continue

The image shows a graphic, with a white background, about the four steps involved in a zero-day exploit.
Zero-day vulnerabilities, if left unpatched, could have damaging consequences for companies.
Source: Norton

Zero-day vulnerabilities in software become known only after they’re discovered. Once known, developers have ‘zero days’ to apply a fix. Sometimes, the vulnerability in the browsers isn’t detected for months, leaving networks operating the software exposed to cyber-attacks. 

Cybercriminals first exploit the zero-day vulnerabilities “in the wild,” meaning they can’t capitalize on them immediately. 

This recent vulnerability brings Google’s zero-day vulnerabilities tally to nine for this year (Google patched the previous eight promptly, as soon as it discovered them). The following are the dates for the previous vulnerabilities:

Of the nine zero-day vulnerabilities, this recent one is the fourth type-confusion vulnerability in the V8 Javascript engine developed by Chromium. Other vulnerabilities concerned heap buffer overflows issues in the GPU and WebRTC components, insufficient data validation in runtime libraries, and insufficient validation of untrusted inputs into intents. 

While Google has released the update to address this specific vulnerability, it’s uncertain whether all companies will be able to apply the fix in time before cybercriminals exploit it. 

Companies that are serious about their security, however, stay ahead of the curve and continually monitor their networks for vulnerabilities and apply patches whenever needed

Companies Exposed to Zero-Day Vulnerabilities

The image shows a Windows desktop update on a black computer screen, white Windows logo in the center.
System updates may seem tedious, but they help patch bugs.
Source: Unsplash

In November, Apple, Firefox, VMware, Cisco, Citrix, and SAP issued major updates for security vulnerabilities. In the same month, Windows addressed 64 security issues, four of which were zero-day vulnerabilities. Mozilla fixed 19 security vulnerabilities, 8 of which were severe. And Apple addressed two, including the severe ones that it quickly fixed. But few security vulnerabilities can slip through the cracks undetected. 

In February, a Google zero-day vulnerability allowed North Korean state-sponsored cybercriminals, Lazarus Group, to target media firms, IT companies, and fintech organizations for a month before TAG detected and patched it. During the exploit, cybercriminals spammed and spoofed “250 individuals working for 10 different news media outlets, domain registrars, webhosting providers, and software vendors.”   

On another occasion, TAG found exploits in Mozilla, Chrome, and Windows Defender that it linked to a Spanish cybersecurity provider, Variston IT. TAG and Google’s Project Zero researchers pick up on many vulnerabilities that affect Google’s browsers and release updates that affect a wide variety of commercial enterprises. 

Vulnerable Browsers and Business Network Security Concerns 

The image shows icons of Edge, Firefox, Chrome, Opera, and Brave web browsers against a purple background.
Chrome isn’t the only web browser affected by the latest zero-day vulnerability.
Source: Unsplash

The bug doesn’t just concern Chrome and Chromium (the browser). Since the vulnerability is in the source code — developed by the open-source project, Chromium — several other browsers that use the same code are at risk.   

The other browsing platforms on Chromium include Opera, Yandex, Vivaldi, Brave, and Epic. Companies relying on browsers running Chromium’s source code will need to switch on automatic updates or download the latest versions for their browsers. 

But doing so may only be a stopgap measure. Companies that rely on manual updates are just one negligent employee away from exposing their network. Plus, companies can’t always rely on individuals to apply the patches in time. Manually applying updates is labor-intensive and the chances of making an error are high.

For more robust network security, experts recommend solutions that offer automated patch management and scanning. These automated solutions scan the network and third-party software for missing patches and gaps in common operating systems, take out the guesswork out of patch management, and free up the workforce. 

In addition to detecting and patching Google’s zero-day vulnerabilities, automated solutions also eliminate security concerns associated with third-party software vendors, browsers, and platforms. 

Google has dodged the bullet for the ninth time this year but, for small to medium-sized businesses, worried about their network security, its update may inspire little reassurance. Besides, who’s to say that another one of these vulnerabilities will not crop up. 

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top