December 6 Update below. This post was originally published on December 4
Google has confirmed yet another zero-day vulnerability impacting the Chrome web browser client, the ninth this year. In a posting to the official Chrome releases blog, Google states that users of Chrome on the Windows, Mac, and Linux platforms as well as Android, are impacted by the high-severity CVE-2022-4262 0day security vulnerability. An urgent update has started rolling out across all platforms, and Google is withholding the technical details of the zero-day until a majority of Chrome users have updated.
December 6 Update:
Ed Williams, director of SpiderLabs (EMEA) at Trustwave, who heads up a team of ethical hackers, forensic investigators, and security researchers, has warned that organizations and individual users should update the Google Chrome browser immediately. This follows on from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) giving federal agencies until Boxing Day, December 26, to patch the latest 0Day Chrome threat.
In a posting dated December 5, CISA confirmed it has added the exploited Google Chrome vulnerability, CVE-2022-4262, to the Known Exploited Vulnerabilities Catalog and urges all organizations to patch as soon as possible. Binding operational directive BOD 22-01 gives federal agencies three weeks to patch systems. However, Williams warns that this is way too long:
“This newly discovered and exploited flaw in Google is important for several reasons. The Google Chrome browser has a global market share of ~63%, which is a massive Total Addressable Market (TAM) and one that malicious users will likely jump on the back of. This browser is popular on a variety of operating systems, again making it a formidable vulnerability for malicious users. A browser, by its very nature, must have internet connectivity, crossing a trust barrier, again making the delivery mechanism easier – this could be a malicious link or a phishing email. Add in the fact that users are slow to update and patch their browsers (both on desktops and mobile devices), and this creates a very dangerous situation for organizations and individuals alike. My opinion is that giving organizations three weeks to patch a vulnerability will likely mean that they patch said vulnerability in three weeks. This is too long. Organized and motivated attackers will weaponize this in a few short hours. Clearly, the onus here is on organizations and individuals to patch as quickly as they can; they should be given the tools and resources to do so, as we know that a vulnerability of this severity is going to be impactful.”
Although Google Chrome has an automated update process, which means that once the security patch reaches your device it gets installed automatically, it only becomes effective once the browser itself restarts. This means that there are two problems that can prevent the immediate securing of your browser: firstly, waiting for the update to reach you and, secondly, rebooting Chrome itself. While Google states that the update will be rolling out across the coming days and weeks, this could prove too late for some. Which is why you must update Google Chrome now.
You can ‘force’ a Google Chrome security update by getting the browser to check if it is up to date. This circumvents any delay in waiting for it to come to you. Just head for Settings|About Chrome, and Chrome will check if you have the latest version and if not, then a download and installation will start automatically. Remember, though, that Chrome version 108.0.5359.94 (or 108.0.5359.95 for some users) for Windows, and version 108.0.5359.94 for Mac and Linux, will only become active after the browser is rebooted. The fully-patched version of Chrome for Android is 108.0.5359.79, and you should check that this has been updated on your device.
Check your Chrome version as a matter of urgency
“The severity of this vulnerability can hardly be overstated,” Walters concludes, “that’s why we recommend that you update your Chrome browser as soon as possible.”
Users of other web browsers based upon the Chromium engine, such as Brave, Edge, and Opera, should also check for updates as the same zero-day will impact users across these clients as well.