CNA Explains: What is Google Chrome's latest bug and how badly can it be exploited?
Google Chrome users have been urged to immediately install a security patch after reports of a high-severity vulnerability in the browser. How might hackers take advantage of this bug?
SINGAPORE: The Singapore Computer Emergency Response Team (SingCERT) on Thursday (Aug 18) urged Google Chrome users to install the latest security updates immediately, citing a high-severity vulnerability in the web browser that is being exploited.
While Google did not give more information about this vulnerability, usually to prevent further exploitation until more users apply the security update, its Chrome Releases blog stated that the bug involves "insufficient validation of untrusted input in Intents".
"Users are also encouraged to enable the automatic update function in Chrome to ensure that their software is updated promptly," said SingCERT, a unit under the Cyber Security Agency of Singapore (CSA).
So what exactly is this vulnerability that Google calls CVE-2022-2856? How could it be exploited and with what consequences? CNA spoke to three cybersecurity companies to find out:
What is CVE-2022-2856?
CVE-2022-2856 is a vulnerability related to Intents, a function that processes user input on Google Chrome.
When you click on a webpage, Intents is used to launch applications automatically and pass data to these apps, said Ms Joanne Wong, vice president, international markets at LogRhythm.
"It is critical that such user inputs are validated, to ensure that only the right data is entered into an information system, and to prevent bad data from persisting in the database, triggering a malfunction," she explained.
When a software does not validate the user input properly, a hacker can craft the input in a form that is not expected by the rest of the application.
This will lead to parts of the system getting unintended input, possibly resulting in arbitrary code execution, where a hacker uses a flaw to execute commands on a target device, she said.
How can it be exploited?
Ms Wong said arbitrary code execution has in the past been used to steal data, run extortion schemes, and even expose private text messages and search history.
"In addition, some of the most severe bugs would allow an attacker to execute malicious code in the context of the user," she said.
"The severity of the attack then depends on the privileges associated with the user - whether they have the authority to install new programs; view, change or delete data; or create new user accounts."
A hacker can also send a phishing email message or attachment with an embedded link to a website that uses Intents, said Ms Jennifer Cheng, director of product marketing, Asia-Pacific and Japan at Proofpoint.
Then, if the person who receives that email clicks on the link to the website using a Chrome browser, the attacker can connect to the site using another malicious web app and expose the person to malicious content.
"Possible repercussions of exposure to malicious content could include redirecting to another malicious site, injecting malicious code (malware), stealing data or login credentials," she added.
Is the bug already being exploited?
Google said two members of its Threat Analysis Group first reported CVE-2022-2856 on Jul 19, and that it is aware of an exploit existing in the wild. This means the company knows - possibly via Chrome telemetry - that the vulnerability has been exploited.
"They probably know the site that did that and may know the users that have been attacked," said Mr Candid Wuest, vice president of cyber protection research at Acronis.
"Depending on the execution, the attack itself could be rather stealthy. Google has not revealed more details about the attacker or their targets at this point."
CNA understands that CSA has not received any reports of users being hacked via this vulnerability.
Acronis co-founder and technology president Stas Protassov said "it is reasonable to assume" that the vulnerability has been exploited by state-backed hackers, pointing to the involvement of Google's Threat Analysis Group.
The group focuses on countering high-resourced attackers like government advanced persistent threat groups he said, adding that Google typically discloses more details about vulnerabilities 90 days after reporting.
"So we will know more results in October, unless Google decides to do so earlier," he said.
What will the security patch do?
Ms Cheng said the Google security patch will prevent attackers from exploiting the Intents function to connect or inject malicious content to websites that support it.
"Most likely the patch will update user input validation to block the exploitation of this vulnerability," said Acronis chief information security officer Kevin Reed.
Ms Cheng said those who choose not to install the patch are "rolling the dice" and leaving themselves exposed to malicious content and eventually compromise.
While Ms Wong agreed that those who do not update their browser would in theory be exposed to such dangers, she said it is difficult to predict an exact outcome without full details of the vulnerability.
How common is this vulnerability?
Years ago, web browser vulnerabilities were considered quite common and among a hacker's favourites, Ms Cheng said.
"These days, this type of zero-day is far less common," she said, using a term to describe unpatched bugs discovered before developers become aware of them.
"We like to think that developers are more security-minded now in their development practices."
Nevertheless, Ms Wong said it is "practically impossible" to write flawless code as human error is inevitable.
"The imperative for organisations thus lies in identifying such vulnerabilities as quickly as possible, and acting decisively," she said.
Mr Wuest said it is "good" to note that CVE-2022-2856 is the fifth zero-day that Google has patched in Chrome this year.
The first vulnerability reported in February was exploited by North Korean hackers in phishing campaigns, Bleeping Computer reported.
"Threats that 'exist in the wild' refer to threats that are spreading among devices belonging to ordinary users, rather than test systems," Ms Wong said.
"This is a critical threat, which significantly threatens the security of data in the real world, when exploited by hackers."