The list of security flaws that can be exploited in attacks has been expanded by the Cybersecurity and Infrastructure Security Agency (CISA).
On Friday, the Google Chrome web browser for Windows, Mac, and Linux users was patched to address the vulnerability (tracked as CVE-2022-4262).
Since the beginning of the year, Google has patched nine Chrome zero-day vulnerabilities that have been discovered in the wild. Last week, Google released a security advisory in which it stated that it was “aware of reports that an exploit for CVE-2022-4262 exists in the wild.”
The flaw, discovered by Clement Lecigne of Google’s Threat Analysis Group, is a high-severity type confusion weakness in the Chromium V8 JavaScript engine.
While type confusion flaws typically result in browser crashes after being successfully exploited by reading or writing memory outside of buffer bounds, attackers can also use them to execute arbitrary code.
As Bleeping Computer explains, even though the company claimed to have discovered attacks utilizing this zero-day vulnerability, it has not released any technical information or information regarding these incidents, likely to give the security update enough time to roll out to all impacted systems and give users the opportunity to upgrade their browsers before additional attackers design their own CVE-2022-4262 exploits.
Federal Agencies Have Three Weeks to Patch
All Federal Civilian Executive Branch Agencies (FCEB) agencies must now patch their systems against this bug in accordance with the timeline provided by CISA, per a binding operational directive (BOD 22-01) issued in November 2021.
They only have until December 26 to patch every vulnerable Chrome installation on their systems in order to stop any further exploitation attempts.
Despite the fact that the BOD 22-01 directive only pertains to US FCEB agencies, the DHS cybersecurity agency firmly urged all U.S. organizations from the public and private sectors to prioritize patching this actively exploited bug.
These vulnerabilities pose significant risk to the federal enterprise and are a frequent attack vector for malicious cyber actors of all types.
CISA’s Statement
CISA’s full announcement is available here.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.