How can it be abused?
According to Wong, arbitrary code execution has been used in the past to steal data, carry out extortion schemes, and expose private text messages and search histories.
“Additionally, some of the most severe bugs can allow attackers to execute malicious code in the context of the user,” she said.
“The severity of the attack is determined by whether the user has the privileges associated with it: installing new programs, viewing, modifying, or deleting data, or creating new user accounts.”
Hackers can also send phishing email messages or attachments embedded with links to websites that use the intent, said Jennifer Cheng, director of product marketing for Asia Pacific and Japan at Proofpoint. .
Then, when the person who received the email uses the Chrome browser and clicks the link to the website, the attacker uses another malicious web app to connect to the site and trick the person into malicious It can be exposed to certain content.
“The effects of exposure to malicious content include redirection to another malicious site, injection of malicious code (malware), and theft of data or login credentials,” she adds. I was.
Has the bug already been exploited?
Google first reported CVE-2022-2856 on July 19th by two members of its threat analysis group, and said it was aware of the exploit in the wild. This means the company is aware that the vulnerability has been exploited, presumably via Chrome telemetry.
Candid Wuest, Vice President of Cyber Protection Research at Acronis, said:
“Depending on the execution, the attack itself could be quite stealthy. At this time, Google has not released any details about the attacker or their targets.”
CNA understands that CSA has not received any reports of users being hacked by this vulnerability.
Acronis co-founder and president of technology Stas Protassov said it was “reasonable to speculate” that the vulnerability was exploited by state-sponsored hackers, pointing to the involvement of Google’s Threat Analysis Group. I was.
The group is focused on countering well-resourced attackers like government advanced persistent threat groups, and Google typically discloses details about vulnerabilities 90 days after they are reported. I am adding that there are.
“So unless Google decides early, we will know more results in October,” he said.
What do security patches do?
Cheng said Google’s security patch could prevent attackers from abusing the Intents feature to connect to websites that support it or inject malicious content. .
Acronis Chief Information Security Officer Kevin Reed said:
Cheng said those who choose not to install the patch are “rolling the dice” and being exposed to malicious content and ultimately compromised.
Wong said he agrees that people who don’t update their browsers are theoretically at such risk, but it’s hard to predict the exact outcome without the full details of the vulnerability.
How common is this vulnerability?
Until a few years ago, Web browser vulnerabilities were very common and considered one of hacker’s favorites, Cheng said.
“These kinds of zero-days aren’t very common these days,” she said, using the term to describe unpatched bugs discovered before developers were aware of them.
“I think developers are now more security focused in their development practices.”
Despite this, Wong said it’s “practically impossible” to write perfect code because human error is inevitable.
“It is therefore imperative for organizations to identify such vulnerabilities as early as possible and act decisively,” she said.
Weest said it was “good” to note that CVE-2022-2856 is the fifth zero-day Google has patched Chrome this year.
The vulnerability, first reported in February, was exploited by North Korean hackers in a phishing campaign, reports Bleeping Computer.
“A threat that is ‘in the wild’ refers to a threat that is spreading among devices belonging to regular users, not test systems,” Wong said.
“This is a serious threat and, if exploited by hackers, would seriously compromise the security of real-world data.”
