Google released a new round of Chrome security updates on Wednesday featuring a zero-day flaw that is actively targeted in nature.
The tech giant said its August security update includes a total of 11 fixes, including fixes for 10 CVE-listed vulnerabilities. One Chrome vulnerability, CVE-2022-2852, is rated as critical risk, six are rated as high risk, and the remaining three are all rated as medium risk.
The update included a fix for CVE-2022-2856, a zero-day vulnerability in the way the Intents component handles input validation. Google noted that the vulnerability is currently being exploited in the wild.
Google’s advisory didn’t provide much information about the vulnerability itself, only describing the issue as “insufficient validation of untrusted inputs in intents.” Intents is an API that allows the Chrome browser to open external applications.
Ashley Shen and Christian Resell of Google Threat Analysis Group were credited with reporting the bug to Chrome’s developer team.
While Google didn’t provide details about the subattack vulnerability, researchers were able to learn enough to know that the bug could potentially be dangerous when exploited.
“Web Intents are based on Android Intents and provide web application integration for developers,” Dustin Childs, communications manager for the Trend Micro Zero Day Initiative, told TechTarget Editorial. “The bug likely manifests when a user attempts to use an intent for a specific purpose. If a malicious actor can provide a specially crafted response, it could achieve code execution on the target system.”
Tenable senior research engineer Satnam Narang told TechTarget Editorial that the Chrome vulnerability could potentially be tied to other bugs to evade browser sandbox protections and perform additional exploits.
“That’s the biggest concern with flaws like these; using them as part of a vulnerability chain,” Narang explained.
“Generally, we know that when zero-day in a browser has been exploited, it’s often linked to Advanced Persistent Threat (APT) groups, and their focus is narrower towards a specific subset of targets, which which would pose less of a threat on a larger level, but once those details become available and proof-of-concept exploits start circulating, attackers of all types are quick to incorporate them into their playbooks.
According to Tenable, CVE-2022-2856 is the fifth zero-day flaw that Google patched in Chrome this year. In July, a zero-day flaw in WebRTC, CVE-2022-2294, was attacked in the wild, and in March, Google disclosed that an unpatched vulnerability in the browser, CVE-2022-0609, had been exploited. by North Korean hackers for six full weeks before it was discovered by security researchers.
Users and administrators are advised to update Chrome as soon as possible. In most cases, this can be done by simply restarting the browser.