If you are a Chrome browser user, be that in Windows, Mac, or Linux flavor, Google has some bad news for you. Attackers are already exploiting a high-impact security vulnerability that could lead to them gaining control of a system resource or to arbitrary code execution. This is the fifth zero-day Google has had to deal with in 2022 so far.
What is the Google Chrome CVE-2022-2856 Zero-Day?
In an advisory posted August 16, Srinivas Sista from the Google Chrome team, confirms that a total of eleven security vulnerabilities, ranging from medium to critical impact, have been fixed in the latest Chrome update. One of these, CVE-2022-2856, is the zero-day in question. “Google is aware that an exploit for CVE-2022-2856 exists in the wild,” Sista stated.
Not much detail is being made public about the zero-day vulnerability until a majority of users have had time to ensure the update is installed and activated.
However, Google does confirm that CVE-2022-2856 was reported by hackers from within the Google Threat Analysis Group, Ashley Shen and Christian Resell, on July 19. It is, the advisory states, an “insufficient validation of untrusted input in Intents.”
Which will be as clear as mud for most users.
All I can add, at this point, in an attempt to clarify, is that the ‘intents’ mentioned are how Chrome processes user input. It is possible, although, again, I cannot confirm the precise technical details of CVE-2022-2856, that by creating a malicious input that prevents Chrome from validating it, potentially leading to arbitrary code execution.
What steps do you need to take to secure Google Chrome?
What I can say with complete confidence is that you should check your browser has updated to the latest Chrome version as soon as possible. For Mac and Linux users, this will be Chrome 104.0.5112.101, while for Windows users, it could be either 104.0.5112.101 or 104.0.5112.102, just for some additional unwanted confusion.
While Chrome should update automatically, it is recommended that you force the update check to be safe. You also need to perform one additional step before your browser will be secured against this zero-day and the other disclosed threats.
Go to the About Google Chrome entry in the browser menu, which will force a check for any available update. Once that update has been downloaded and installed, a relaunch button will become available. After relaunching the browser, the update will activate and protect you from the fifth Google Chrome zero-day of the year.
As other browsers that are based around the Chromium engine will likely be impacted by the same vulnerabilities, expect updates for the likes of Brave, Edge and Opera to follow in due course.