Google races out patch for high-severity Chrome browser zero-day on Windows and Android

Google has released an update to Chrome 103 for Windows desktops that fixes a flaw in its implementation of WebRTC, which it warns is already under attack. 

The issue that Chrome update 103.0.5060.114 for Windows addresses is a “heap buffer overflow in WebRTC”, referring to when the buffer allocated in the heap portion of memory can be overwritten for nefarious means. 

WebRTC is the open web standard for building video and voice applications for real-time communications (RTC). It’s enabled by JavaScript in the browser and the standard is supported by all major browser vendors.

SEE: These hackers are spreading ransomware as a distraction – to hide their cyber spying

Google hasn’t offered any details on the bug, other than it’s been assigned the identifier CVE-2022-2294, has a “high”-severity rating, and that Jan Vojtesek of the Avast Threat Intelligence team reported it to Google on July 1. 

It did, however, acknowledge there is an exploit for it circulating in the public. 

“Google is aware that an exploit for CVE-2022-2294 exists in the wild,” it says in a blogpost announcing the stable Chrome release for desktop. 

Google has also since released a fix for the same WebRTC flaw in Chrome for Android. 

MITRE says in its entry for heap-based buffer overflows: “Heap-based overflows can be used to overwrite function pointers that may be living in memory, pointing it to the attacker’s code. Even in applications that do not explicitly use function pointers, the run-time will usually leave many in memory. For example, object methods in C++ are generally implemented using function pointers. Even in C programs, there is often a global offset table used by the underlying runtime.”

Google says it doesn’t reveal details about bugs until the majority of users are updated with a fix. It might also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven’t yet fixed.

The update also fixes two other high-severity flaws. CVE-2022-2295 is a type confusion in Chrome’s V8 JavaScrip engine, while CVE-2022-2296 is a “use after free” memory issue in Chrome OS Shell. 

SEE: Google: Half of zero-day exploits linked to poor software fixes

As of June 15, Google’s security project Google Project Zero (GPZ) had counted 18 0-days this year that had been exploited in the wild. Two of the 18 0-days affected Chrome.

GPZ researcher Maddie Stone said that at least half of the 0-days GOZ had seen since the beginning of 2022 “could have been prevented with more comprehensive patching and regression tests.”

Many of the 0-days in the first half of 2022 were just variants of previously patched bugs in Microsoft Windows, Apple iOS and WebKit, and Google Chrome. As she noted, the root cause issue was not addressed, allowing attackers to revisit the original bug through a different path. 

The problem with incomplete patches was that it was a wasted opportunity to “make 0-day hard” for attackers. 

“The goal is to force attackers to start from scratch each time we detect one of their exploits: they’re forced to discover a whole new vulnerability, they have to invest the time in learning and analyzing a new attack surface, they must develop a brand new exploitation method. To do that effectively, we need correct and comprehensive fixes,” she said.

Google has released an update to Chrome 103 for Windows desktops that fixes a flaw in its implementation of WebRTC, which it warns is already under attack. 

The issue that Chrome update 103.0.5060.114 for Windows addresses is a “heap buffer overflow in WebRTC”, referring to when the buffer allocated in the heap portion of memory can be overwritten for nefarious means. 

WebRTC is the open web standard for building video and voice applications for real-time communications (RTC). It’s enabled by JavaScript in the browser and the standard is supported by all major browser vendors.

SEE: These hackers are spreading ransomware as a distraction – to hide their cyber spying

Google hasn’t offered any details on the bug, other than it’s been assigned the identifier CVE-2022-2294, has a “high”-severity rating, and that Jan Vojtesek of the Avast Threat Intelligence team reported it to Google on July 1. 

It did, however, acknowledge there is an exploit for it circulating in the public. 

“Google is aware that an exploit for CVE-2022-2294 exists in the wild,” it says in a blogpost announcing the stable Chrome release for desktop. 

Google has also since released a fix for the same WebRTC flaw in Chrome for Android. 

MITRE says in its entry for heap-based buffer overflows: “Heap-based overflows can be used to overwrite function pointers that may be living in memory, pointing it to the attacker’s code. Even in applications that do not explicitly use function pointers, the run-time will usually leave many in memory. For example, object methods in C++ are generally implemented using function pointers. Even in C programs, there is often a global offset table used by the underlying runtime.”

Google says it doesn’t reveal details about bugs until the majority of users are updated with a fix. It might also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven’t yet fixed.

The update also fixes two other high-severity flaws. CVE-2022-2295 is a type confusion in Chrome’s V8 JavaScrip engine, while CVE-2022-2296 is a “use after free” memory issue in Chrome OS Shell. 

SEE: Google: Half of zero-day exploits linked to poor software fixes

As of June 15, Google’s security project Google Project Zero (GPZ) had counted 18 0-days this year that had been exploited in the wild. Two of the 18 0-days affected Chrome.

GPZ researcher Maddie Stone said that at least half of the 0-days GOZ had seen since the beginning of 2022 “could have been prevented with more comprehensive patching and regression tests.”

Many of the 0-days in the first half of 2022 were just variants of previously patched bugs in Microsoft Windows, Apple iOS and WebKit, and Google Chrome. As she noted, the root cause issue was not addressed, allowing attackers to revisit the original bug through a different path. 

The problem with incomplete patches was that it was a wasted opportunity to “make 0-day hard” for attackers. 

“The goal is to force attackers to start from scratch each time we detect one of their exploits: they’re forced to discover a whole new vulnerability, they have to invest the time in learning and analyzing a new attack surface, they must develop a brand new exploitation method. To do that effectively, we need correct and comprehensive fixes,” she said.