Overview
In 2022, Google has fixed a total of 359 security flaws in its Google Chrome browser and 9 of these flaws were zero-day vulnerabilities that were actively exploited in the wild by the malicious actors.
Description
Google has released several updates during 2022, including the out-of-the-band patches, to address a total of 359 vulnerabilities that were published on the National Vulnerability Database (NVD). 189 of these vulnerabilities were discovered in the 01 Jul – 30 Sep 2022 period, while on average a 50 vulnerabilities were detected throughout the other quarters.
| Periods in 2022 | Total Number of Vulnerabilities |
|---|---|
| 01 Jan – 31 Mar | 50 |
| 01 Apr – 30 Jun | 47 |
| 01 Jul – 30 Sep | 189 |
| 01 Oct – 31 Dec | 73 |
| Total | 359 |
What is at least as significant as the vast number of vulnerabilities that were detected in the Google Chrome Browser is the fact that 9 of these vulnerabilities were zero-days that were exploited in the wild. In other words, 9 of these flaws in the Google Chrome Browser were first identified and exploited by the malicious adversaries before they were detected and fixed by the Google.
The following table lists these zero-day vulnerabilities with their CVE identifiers, types and respective severity levels:
| CVE ID | Type | Release Date | Severity |
|---|---|---|---|
| CVE-2022-0609 | Use After Free in Animation | 14/02/2022 | High |
| CVE-2022-1096 | Type Confusion in V8 | 25/03/2022 | High |
| CVE-2022-1364 | Type Confusion in V8 Turbofan | 14/04/2022 | High |
| CVE-2022-2294 | Heap Buffer Overflow in WebRTC | 04/07/2022 | High |
| CVE-2022-2856 | Insufficient Validation of Untrusted Input in Intents | 16/08/2022 | Medium |
| CVE-2022-3075 | Insufficient Data Validation in Mojo | 02/09/2022 | Critical |
| CVE-2022-3723 | Insufficient Validation of Untrusted Input in Intents | 27/10/2022 | High |
| CVE-2022-4135 | Heap Buffer Overflow in GPU | 24/11/2022 | Critical |
| CVE-2022-4262 | Type Confusion in V8 | 02/12/2022 | High |
Note that, these vulnerabilities originate from the Chromium Open Source Software Project which is consumed by Google Chrome as its core engine. As quite a number of other web browsers (such as Microsoft Edge, Opera, Brave, Vivaldi, Epic Browser, Iron Browser, Blisk, etc.) also depend on the Chromium as their core engines, these browsers also need to be updated to their most recent versions according to the specific vendor security advisories.
By their nature, browser vulnerabilities are more exposed to external attacks. In this regard, browsers need to be updated soon after the stable versions fixing the critical detected vulnerabilities become available. However, according to some research, on average the vulnerable browser versions are updated in 2 to 3 weeks by most of the organizations. On the other hand, the risk due to vulnerable browsers is of a less concern for the normal users since by default settings Chrome browser gets updated in the background when it is closed and reopened.
Impact
A use after free vulnerability (CVE-2022-0609) in Animation in Google Chrome prior to 98.0.4758.102 allows a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Impact Summary CVE-2022-0609
Category: Use After Free
CVSS 3.1 Base Score: 8.8
CVSS 3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
A Type Confusion vulnerability (CVE-2022-1096) in V8 in Google Chrome prior to 99.0.4844.84 allows a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Impact Summary CVE-2022-1096
Category: Type Confusion
CVSS 3.1 Base Score: 8.8
CVSS 3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
A Type Confusion vulnerability (CVE-2022-1364) in V8 Turbofan in Google Chrome prior to 100.0.4896.127 allows a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Impact Summary CVE-2022-1364
Category: Type Confusion
CVSS 3.1 Base Score: 8.8
CVSS 3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
A Heap Buffer Overflow vulnerability (CVE-2022-2294) in WebRTC in Google Chrome prior to 103.0.5060.114 allows a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Impact Summary CVE-2022-2294
Category: Heap Buffer Overflow
CVSS 3.1 Base Score: 8.8
CVSS 3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
An Insufficient Validation of Untrusted Input vulnerability (CVE-2022-2856) in Intents in Google Chrome on Android prior to 104.0.5112.101 allows a remote attacker to arbitrarily browse to a malicious website via a crafted HTML page.
Impact Summary CVE-2022-2856
Category: Insufficient Validation of Untrusted Input
CVSS 3.1 Base Score: 6.5
CVSS 3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
An Insufficient Data Validation vulnerability (CVE-2022-3075) in Mojo in Google Chrome prior to 105.0.5195.102 allows a remote attacker to potentially perform a sandbox escape via a crafted HTML page through a compromised renderer process.
Impact Summary CVE-2022-3075
Category: Insufficient Data Validation
CVSS 3.1 Base Score: 9.6
CVSS 3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
An Insufficient Validation of Untrusted Input vulnerability (CVE-2022-3723) in Intents in Google Chrome on Android prior to 104.0.5112.101 allows a remote attacker to arbitrarily browse to a malicious website via a crafted HTML page.
Impact Summary CVE-2022-3723
Category: Insufficient Validation of Untrusted Input
CVSS 3.1 Base Score: 8.8
CVSS 3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
A Heap Buffer Overflow vulnerability (CVE-2022-4135) in GPU in Google Chrome prior to 107.0.5304.121 allows a remote attacker to potentially perform a sandbox escape via a crafted HTML page through a compromised renderer process.
Impact Summary CVE-2022-4135
Category: Heap Buffer Overflow
CVSS 3.1 Base Score: 9.6
CVSS 3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
A Type Confusion vulnerability (CVE-2022-4262) in V8 in Google Chrome prior to 108.0.5359.94 allows a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Impact Summary CVE-2022-4262
Category: Type Confusion
CVSS 3.1 Base Score: 8.8
CVSS 3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Solution (Update)
To defend against possible attacks due to these vulnerabilities, Google Chrome needs to be updated to the most stable version announced.
Normally, Chrome updates in the background when it is closed and reopened. However, if it has not been closed for a while, there might be pending updates. To check for pending updates, you can simply click More (Three vertical dots) on the top right of the Chrome browser.
You can never protect yourself 100%. What you do is protect yourself as much as possible and mitigate risk to an acceptable degree. You can never remove all risk.
Kevin Mitnick
Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.
References to Advisories, Solutions and Tools
To learn more about security vulnerabilities, you could also read our articles What is a Security Vulnerability? or What is Vulnerability Scanning?
