While Americans were celebrating the 4th of July holiday in the US, Google quietly rolled out a stable channel update for Chrome to patch an actively exploited zero-day vulnerability, the 4th such issue they have had to patch in its browser product so far in 2022.
The heap buffer overflow issue in the browser’s WebRTC engine could allow attackers to execute arbitrary code.
Buffer Overflow
Chrome 103 (103.0.5060.71) for Android & Version 103.0.5060.114 for Windows & Mac, outlined in separate blog posts published Mon., fix a heap buffer overflow flaw in WebRTC, the engine that gives the browser its real-time communications capability.
The vulnerability, tracked as CVE-2022-2294 & reported by Jan Vojtesek from the Avast Threat Intelligence team on July 1, is described as a buffer overflow, “where the buffer that can be overwritten is allocated in the heap portion of memory,” according to the vulnerability’s listing on the Common Weakness Enumeration CWE website.
Strongly Recommended
As usual, Google did not reveal specific details about the bug, as it generally waits until most have updated to the patched version of the affected product. Indeed, updating is strongly recommended, as exploits for the vulnerability already exist in the wild, Google stated.
Also, with few details revealed about the flaw—a habit of Google’s that many security researchers find irritating—at this point an update is really only way to defend against attacks exploiting the flaw. Fortunately, Google Chrome updates are pushed out without user intervention, so most users will be protected once patches are available.
Infinite Loop
Buffer overflows generally lead to crashes or other attacks that make the affected program unavailable including putting the program into an infinite loop, according to the CWE listing. Attackers can take advantage of the situation by using the crash to execute arbitrary code typically outside of the scope of the program’s security policy.
“Besides important user data, heap-based overflows can be used to overwrite function pointers that may be living in memory, pointing it to the attacker’s code,” according to the listing. “Even in applications that do not explicitly use function pointers, the run-time will usually leave many in memory.”
Other Fixes
In addition to fixing the zero-day buffer overflow flaw, the Chrome releases also patch a type confusion flaw in the V8 JavaScript engine tracked as CVE-2022-2295 & reported June 16 by researchers “avaue” & “Buff3tts” at S.S.L., according to the post.
This is the 3rd such flaw in the open-source engine used by Chrome & Chromium-based web browsers patched this year alone. In March a separate type-confusion issue in the V8 JavaScript engine tracked as CVE-2022-1096 & under active attack spurred a hasty patch from Google.
In April, the company patched CVE-2022-1364, another ‘type confusion flaw’ affecting Chrome’s use of V8 on which attackers already had pounced.
Another flaw patched in Mon.’s Chrome update is a use-after-free flaw in Chrome OS Shell reported by Khalil Zhani on May 19 & tracked as CVE-2022-2296, according to Google.
Internal Audits
All of the flaws patched in this week’s update received a rating of high. The updates also includes several fixes from internal audits, fuzzing & other initiatives, Google commented.
Prior to patching the Chrome V8 JavaScript engine flaws in March & April, Google in Feb. already had patched a zero-day use-after-free flaw in Chrome’s Animation component tracked as CVE-2022-0609 that was under active attack.
