惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Engineering at Meta
Engineering at Meta
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
人人都是产品经理
人人都是产品经理
Project Zero
Project Zero
T
Tailwind CSS Blog
Jina AI
Jina AI
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
小众软件
小众软件
L
LINUX DO - 热门话题
Spread Privacy
Spread Privacy
大猫的无限游戏
大猫的无限游戏
Google DeepMind News
Google DeepMind News
The Hacker News
The Hacker News
C
Cisco Blogs
T
The Exploit Database - CXSecurity.com
C
CXSECURITY Database RSS Feed - CXSecurity.com
Scott Helme
Scott Helme
Security Archives - TechRepublic
Security Archives - TechRepublic
H
Heimdal Security Blog
博客园 - 【当耐特】
W
WeLiveSecurity
J
Java Code Geeks
Latest news
Latest news
酷 壳 – CoolShell
酷 壳 – CoolShell
T
Troy Hunt's Blog
博客园 - Franky
月光博客
月光博客
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
PCI Perspectives
PCI Perspectives
博客园_首页
C
CERT Recently Published Vulnerability Notes
P
Proofpoint News Feed
P
Palo Alto Networks Blog
I
InfoQ
Security Latest
Security Latest
Hacker News: Ask HN
Hacker News: Ask HN
Microsoft Azure Blog
Microsoft Azure Blog
M
MIT News - Artificial intelligence
Help Net Security
Help Net Security
F
Full Disclosure
Cyberwarzone
Cyberwarzone
D
DataBreaches.Net
The Cloudflare Blog
S
Securelist
美团技术团队
C
Cybersecurity and Infrastructure Security Agency CISA
AI
AI
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events

Threatpost

Student Loan Breach Exposes 2.5M Records Watering Hole Attacks Push ScanBox Keylogger Tentacles of ‘0ktapus’ Threat Group Victimize 130 Firms Ransomware Attacks are on the Rise Cybercriminals Are Selling Access to Chinese Surveillance Cameras Twitter Whistleblower Complaint: The TL;DR Version Firewall Bug Under Active Attack Triggers CISA Warning Fake Reservation Links Prey on Weary Travelers iPhone Users Urged to Update to Patch 2 Zero-Days
Google Patches Chrome’s Fifth Zero-Day of the Year
Elizabeth Montalbano · 2022-08-18 · via Threatpost

An insufficient validation input flaw, one of 11 patched in an update this week, could allow for arbitrary code execution and is under active attack.

Google has patched the fifth actively exploited zero-day vulnerability discovered in Chrome this year as one in a series of fixes included in a stable channel update released Wednesday.

The bug, tracked as CVE-2022-2856 and rated as high on the Common Vulnerability Scoring System (CVSS), is associated with “insufficient validation of untrusted input in Intents,” according to the advisory posted by Google.

Google credits Ashley Shen and Christian Resell of its Google Threat Analysis Group (TAG) for reporting the zero-day bug, which could allow for arbitrary code execution, on July 19. The advisory also unveiled 10 other patches for various other Chrome issues.

Intents are a deep linking feature on the Android device within the Chrome browser that replaced URI schemes, which previously handled this process, according to Branch, a company that offers various linking options for mobile applications.

“Instead of assigning window.location or an iframe.src to the URI scheme, in Chrome, developers need to use their intent string as defined in this document,” the company explained on its website. Intent “adds complexity” but “automatically handles the case of the mobile app not being installed” within links, according to the post.

Insufficient validation is associated with input validation, a frequently-used technique for checking potentially dangerous inputs to ensure that they are safe for processing within the code, or when communicating with other components, according to MITRE’s Common Weakness Enumeration site.

“When software does not validate input properly, an attacker is able to craft the input in a form that is not expected by the rest of the application,” according to a post on the site. “This will lead to parts of the system receiving unintended input, which may result in altered control flow, arbitrary control of a resource, or arbitrary code execution.”

Fending Off Exploits

As is typical, Google did not disclose specific details of the bug until it is widely patched to avoid threat actors taking further advantage of it, a strategy that one security professional noted is a wise one.

“Publicizing details on an actively exploited zero-day vulnerability just as a patch becomes available could have dire consequences, because it takes time to roll out security updates to vulnerable systems and attackers are champing at the bit to exploit these types of flaws,” observed Satnam Narang, senior staff research engineer at cybersecurity firm Tenable, in an email to Threatpost.

 Holding back info is also sound given that other Linux distributions and browsers, such as Microsoft Edge, also include code based on Google’s Chromium Project. These all could be affected if an exploit for a vulnerability is released, he said.

“It is extremely valuable for defenders to have that buffer,” Narang added.

While the majority of the fixes in the update are for vulnerabilities rated as high or medium risk, Google did patch a critical bug tracked as CVE-2022-2852, a use-after-free issue in FedCM reported by Sergei Glazunov of Google Project Zero on Aug. 8. FedCM—short for the Federated Credential Management API–provides a use-case-specific abstraction for federated identity flows on the web, according to Google.

Fifth Chrome 0Day Patch So Far

The zero-day patch is the fifth Chrome bug under active attack that Google has patched so far this year.

In July, the company fixed an actively exploited heap buffer overflow flaw tracked as CVE-2022-2294 in WebRTC, the engine that gives Chrome its real-time communications capability, while in May it was a separate buffer overflow flaw tracked as CVE-2022-2294 and under active attack that got slapped with a patch.

In April, Google patched CVE-2022-1364, a type confusion flaw affecting Chrome’s use of the V8 JavaScript engine on which attackers already had pounced. The previous month a separate type-confusion issue in V8 tracked as CVE-2022-1096 and under active attack also spurred a hasty patch.

February saw a fix for the first of this year’s Chrome zero-days, a use-after-free flaw in Chrome’s Animation component tracked as CVE-2022-0609 that already was under attack. Later it was revealed that North Korean hackers were exploiting the flaw weeks before it was discovered and patched.