Google issued a fresh set of Chrome security updates Wednesday headlined by a zero-day flaw that is actively being targeted in the wild.
The tech giant said that its August security update includes a total of 11 fixes, including patches for 10 CVE-listed vulnerabilities. One Chrome vulnerability, CVE-2022-2852, is classified as a critical risk, six are categorized as high risk, and the remaining three are all considered medium risks.
Included in the update was a patch for CVE-2022-2856, a zero-day vulnerability in the way the Intents component handles input validation. Google noted that the vulnerability is currently under exploitation in the wild.
Google’s advisory did not provide much information on the vulnerability itself, only describing the issue as “insufficient validation of untrusted input in Intents.” Intents is an API that allows the Chrome browser to open outside applications.
Ashley Shen and Christian Resell of Google Threat Analysis Group were credited with reporting the bug to Chrome’s developer team.
While Google was less than forthcoming with details on the under-attack vulnerability, researchers were able to figure out enough to know that the bug could potentially be dangerous when exploited.
“Web Intents are based on Android Intents and offer integration to web applications for developers,” Trend Micro Zero Day Initiative communications manager Dustin Childs told TechTarget Editorial. “The bug likely manifests when a user attempts to use an Intent for some purpose. If a threat actor can make a specially crafted response, they could get code execution on the target system.”
Tenable senior staff research engineer Satnam Narang told TechTarget Editorial that the Chrome vulnerability could potentially be linked up with other bugs to escape the browser’s sandbox protections and perform additional exploits.
“This is the biggest concern with flaws like these; their use as part of a vulnerability chain,” Narang explained.
“Typically, we know that when a zero-day in a browser has been exploited, it is often linked to advanced persistent threat (APT) groups, and their focus is more narrow towards a specific subset of targets, which would pose less of a threat on a broader level. But once these details become available and proof-of-concept exploits begin to circulate, attackers of all types are quick to incorporate them into their playbooks.”
According to Tenable, CVE-2022-2856 is the fifth zero-day flaw Google has addressed in Chrome this year. In July, a zero-day flaw in WebRTC, CVE-2022-2294, was found to be under attack in the wild, and in March Google disclosed that an unpatched vulnerability in the browser, CVE-2022-0609, had been exploited by North Korean hackers for an entire six weeks before its discovery by security researchers.
Users and administrators are advised to update Chrome as soon as possible. In most cases this can be done by simply restarting the browser.