How can it be exploited?
Ms Wong said arbitrary code execution has in the past been used to steal data, run extortion schemes, and even expose private text messages and search history.
“In addition, some of the most severe bugs would allow an attacker to execute malicious code in the context of the user,” she said.
“The severity of the attack then depends on the privileges associated with the user – whether they have the authority to install new programs; view, change or delete data; or create new user accounts.”
A hacker can also send a phishing email message or attachment with an embedded link to a website that uses Intents, said Ms Jennifer Cheng, director of product marketing, Asia-Pacific and Japan at Proofpoint.
Then, if the person who receives that email clicks on the link to the website using a Chrome browser, the attacker can connect to the site using another malicious web app and expose the person to malicious content.
“Possible repercussions of exposure to malicious content could include redirecting to another malicious site, injecting malicious code (malware), stealing data or login credentials,” she added.
Is the bug already being exploited?
Google said two members of its Threat Analysis Group first reported CVE-2022-2856 on Jul 19, and that it is aware of an exploit existing in the wild. This means the company knows – possibly via Chrome telemetry – that the vulnerability has been exploited.
“They probably know the site that did that and may know the users that have been attacked,” said Mr Candid Wuest, vice president of cyber protection research at Acronis.
“Depending on the execution, the attack itself could be rather stealthy. Google has not revealed more details about the attacker or their targets at this point.”
CNA understands that CSA has not received any reports of users being hacked via this vulnerability.
Acronis co-founder and technology president Stas Protassov said “it is reasonable to assume” that the vulnerability has been exploited by state-backed hackers, pointing to the involvement of Google’s Threat Analysis Group.
The group focuses on countering high-resourced attackers like government advanced persistent threat groups he said, adding that Google typically discloses more details about vulnerabilities 90 days after reporting.
“So we will know more results in October, unless Google decides to do so earlier,” he said.
What will the security patch do?
Ms Cheng said the Google security patch will prevent attackers from exploiting the Intents function to connect or inject malicious content to websites that support it.
“Most likely the patch will update user input validation to block the exploitation of this vulnerability,” said Acronis chief information security officer Kevin Reed.
Ms Cheng said those who choose not to install the patch are “rolling the dice” and leaving themselves exposed to malicious content and eventually compromise.
While Ms Wong agreed that those who do not update their browser would in theory be exposed to such dangers, she said it is difficult to predict an exact outcome without full details of the vulnerability.
How common is this vulnerability?
Years ago, web browser vulnerabilities were considered quite common and among a hacker’s favourites, Ms Cheng said.
“These days, this type of zero-day is far less common,” she said, using a term to describe unpatched bugs discovered before developers become aware of them.
“We like to think that developers are more security-minded now in their development practices.”
Nevertheless, Ms Wong said it is “practically impossible” to write flawless code as human error is inevitable.
“The imperative for organisations thus lies in identifying such vulnerabilities as quickly as possible, and acting decisively,” she said.
Mr Wuest said it is “good” to note that CVE-2022-2856 is the fifth zero-day that Google has patched in Chrome this year.
The first vulnerability reported in February was exploited by North Korean hackers in phishing campaigns, Bleeping Computer reported.
“Threats that ‘exist in the wild’ refer to threats that are spreading among devices belonging to ordinary users, rather than test systems,” Ms Wong said.
“This is a critical threat, which significantly threatens the security of data in the real world, when exploited by hackers.”
CNA Explains: What is Google Chrome’s latest bug and how badly can it be exploited? & Latest News Update
CNA Explains: What is Google Chrome’s latest bug and how badly can it be exploited? & More Live News
All this news that I have made and shared for you people, you will like it very much and in it we keep bringing topics for you people like every time so that you keep getting news information like trending topics and you It is our goal to be able to get
all kinds of news without going through us so that we can reach you the latest and best news for free so that you can move ahead further by getting the information of that news together with you. Later on, we will continue
to give information about more today world news update types of latest news through posts on our website so that you always keep moving forward in that news and whatever kind of information will be there, it will definitely be conveyed to you people.
CNA Explains: What is Google Chrome’s latest bug and how badly can it be exploited? & More News Today
All this news that I have brought up to you or will be the most different and best news that you people are not going to get anywhere, along with the information Trending News, Breaking News, Health News, Science News, Sports News, Entertainment News, Technology News, Business News, World News of this made available to all of you so that you are always connected with the news, stay ahead in the matter and keep getting today news all types of news for free till today so that you can get the news by getting it. Always take two steps forward
Credit Goes To News Website – This Original Content Owner News Website . This Is Not My Content So If You Want To Read Original Content You Can Follow Below Links