On Friday, December 2nd, 2022, Google released updates for Chrome on Android and Desktop (Windows, Mac and Linux). The Desktop update, in particular, contained fixes to combat a new zero-day vulnerability, tracked as CVE-2022-4262. This is Chrome’s ninth patched zero-day of 2022.
On Monday, December 5th, the Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its list of bugs known to be exploited in attacks, though specific technical details have not been shared at this time. CISA is requiring all Federal Civilian Executive Branch (FCEB) agencies to push this patch out by December 26th, three weeks from the announcement, and the Department of Homeland Security cybersecurity agency is strongly urging all U.S. organizations to do the same.
The vulnerability is caused by a high-severity type confusion weakness in the Chromium V8 JavaScript engine. Traditionally, type confusion flaws typically lead to attacks that cause browser crashes caused by reading and writing memory out of buffer bounds, but attackers can exploit them for arbitrary code execution, as well.
Google’s original security advisory can be found here: https://chromereleases.googleblog.com/2022/12/stable-channel-update-for-desktop.html
