On August 16, 2022, Google pushed out patches for the Chrome browser for desktops to contain an actively exploited high-severity zero-day flaw in the wild, according to The Hacker News.
This vulnerability is tracked as “CVE-2022-2856″ and has been defined as a case of insufficient validation of untrusted input in Intents. Google has stated that they are aware that an exploit for CVE-2022-2856 exists in the wild. In the most recent update, ten security flaws have been further addresses, most related to use-after-free bugs.
This marks the fifth zero-day vulnerability in Chrome that Google has resolved since the beginning of 2022. The previous zero-day vulnerabilities this year include:
- CVE-2022-0609 – Use-after-free in Animation (February 14)
- CVE-2022-1096 – Type confusion in V8 (March 25)
- CVE-2022-1364 – Type confusion in V8 (April 14)
- CVE-2022-2294 – Heap buffer overflow in WebRTC (July 4)
Who Were the Victims & How Did it Affect Them?
Unfortunately, Google typically doesn’t provide many technical details about these zero-day vulnerabilities until a majority of Chrome users have applied the security update. The number of people affected by this zero-day vulnerability is unknown.
According to The Hacker News, users are recommended to update to version 104.0.5112.101 for macOS and Linux and 104.0.5112.102/101 for Windows to mitigate potential threats. Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.
Could Eclypses MTE Technology Prevent This Breach?
Although MTE Technology could not prevent this entire hack, it can protect major aspects of the web application. With Eclypses MTE technology, the web application would have:
- Protected session data using SDR (Secure Data Replacement)
- Protected web traffic using MTE/MKE
- Created a one-to-one pairing relationship between the web application and the server
Eclypses MTE technology protects the web application from being an accidental victim. Interested in discussing this zero-day vulnerability with the Eclypses team? Contact us today!
Source: The Hacker News