Google has released an update to Chrome 103 for Windows desktops that fixes a bug in WebRTC’s implementation that it warns are already under attack.
The problem with Chrome update 103.0.5060.114 for Windows addresses is a “heap buffer overflow in WebRTC”, referring to when the buffer allocated in the heap portion of memory for nefarious resources can be overwritten.
Google has not given any details about the bug, other than that it has been given the identifier CVE-2022-2294, has a “high” severity rating, and Jan Vojtesek of the Avast Threat Intelligence team reported it to Google on July 1.
However, it acknowledged that an exploit is circulating publicly.
“Google is aware that an exploit for CVE-2022-2294 exists in the wild,” it says in a blog post announcing the stable Chrome release for desktop†
Google has also since released a fix for the same WebRTC bug in Chrome for Android†
MITER says in the entry for heap-based buffer overflowsTo: “Heap-based overflows can be used to overwrite function pointers that may live in memory and point them to the attacker’s code. Even in applications that don’t explicitly use function pointers, the runtime usually leaves many in memory. For example, object methods in C++ are generally implemented using function pointers. Even in C programs, there is often a global offset table used by the underlying runtime.”
Google says it won’t reveal any details about bugs until the majority of users are updated with a fix. It may also retain limitations if the bug exists in a third-party library that other projects similarly depend on, but hasn’t been fixed yet.
The update also fixes two other very serious bugs. CVE-2022-2295 is a kind of confusion in Chrome’s V8 JavaScrip engine, while CVE-2022-2296 is a “use after free” memory issue in Chrome OS Shell.
From June 15, Google’s security project Google Project Zero (GPZ) will had counted 18 0 days exploited in the wild this year† Two of the 180 days involved Chrome.
GPZ researcher Maddie Stone said at least half of the 0 days seen by GOZ since early 2022 “could have been prevented with more extensive patch and regression testing.”
Many of the 0 days in the first half of 2022 were just variants of previously patched bugs in Microsoft Windows, Apple iOS and WebKit and Google Chrome. As she noted, the root cause issue was not addressed, allowing attackers to revisit the original bug via a different path.
The problem with incomplete patches was that it was a missed opportunity to “make 0 day difficult” for attackers.
“The goal is to force attackers to start from scratch every time we detect one of their exploits: they are forced to discover an entirely new vulnerability, they have to invest time in learning and analyzing a new attack surface, they have to build a brand new one. exploitation method. To do that effectively, we need correct and comprehensive solutions,” she said†