Application Security

TYPE CONFUSION: THE NEW ZERO-DAY VULNERABILITY AFFECTING GOOGLE CHROME

TYPE CONFUSION: THE NEW ZERO-DAY VULNERABILITY AFFECTING GOOGLE CHROME
Written by ga_dahmani
TYPE CONFUSION: THE NEW ZERO-DAY VULNERABILITY AFFECTING GOOGLE CHROME

Day zero Exploits have set a trend recently with their increasing reported cases coming to light. Although there is a significant acceleration in vendors fixing security vulnerabilities in the last 2 years, according to a report from high tech glitzhackers have also apparently become quicker to spot those vulnerabilities and exploit them.

One of them is especially haunting Google’s Chrome, which has currently been infected by a “high severity” vulnerability that is being actively exploited in the wild.

The error logged as CVE-2022-1096 it’s a ‘type confusion’ error on an open source, V8 JavaScript Engine used by Chrome and Chromium based web browsers.

Some of the browsers that use Chrome’s open source Chromium code base include:

  • microsoft edge
  • Opera
  • Vivaldi
  • comfortable dragon
  • courageous
There are many more of them. Do you know the origins of your browser?

After fixing a critical Chromium Zero-Day flaw, CVE-2022-0609, in the animation component on February 14, 2022, Google Chrome was once again affected by another vulnerability in its system. CVE-2022-1096, a ‘type confusion’ issue has crippled Google.

As reported by an anonymous researcher on March 23, 2022, the vulnerability has been almost resolved by submitting an update to mitigate all potential threats. Google acknowledged its knowledge of an exploit for CVE-2022-1096 and advised its users to update to the latest version.

Type Confusion Vulnerability

A type confusion error occurs when an object is passed to code without the program checking it first. The code then uses that information without checking the type, leading to type confusion.

It is especially dangerous because it leads to out-of-bounds access in languages ​​that are not memory-safe, such as C and C++. Also, bad function pointers or data that is placed in the wrong code can, in some cases, lead to a crash or possible code execution.

WHAT ARE ZERO-DAY VULNERABILITIES?

zero-day vulnerabilities they refer to newly discovered flaws in the system that are not patched, leaving them defenseless against social engineering attacks. It’s called ‘zero day’ because attackers discover it first before any security analysts can spot it.

These undetected system loopholes can compromise a company’s networks or operations, making them a serious security threat.

Attacks typically come in the form of malware that is released into the unpatched vulnerability in a web browser or application. The malware, which is delivered via email, injects itself into the system by clicking on suspicious links or downloading the infected email attachment.

The zero-day exploit can lead to sensitive data theft, critical file corruption, device takeover, and much more. Data Leak Prevention Plans can help solve this problem.

Some related terms to understand zero-day vulnerabilities:

  • zero-day feats Social engineering methods to execute attacks.
  • zero-day attacks Attacks that exploit vulnerabilities to cause data breaches in an organization.

HOW ZERO-DAY ATTACKS ARE PERFORMED

Software developed in an enterprise contains a vulnerability that the developer is not aware of — Threat actors detect and act on it before the developer discovers it — Methods to exploit it are executed while it remains unpatched — a Zero – Exploit of the day: detected by someone in the form of data theft: the developer creates a patch for it.

SOME FAMOUS EXPLOITATIONS OF DAY ZERO

  • DAWN- A series of cyberattacks launched from China targeting US private sector companies in 2010. Threat actors launched a phishing campaign to steal trade secrets from Yahoo, Adobe, Morgan Stanley, Google, and more than two dozen other companies that compromised their networks.
  • ALIBABA- Over 8 months, a web tracking software developed by an anonymous developer took over Alibaba’s shopping website in November 2019 to collect more than 1.1 billion user data such as user IDs, mobile phone numbers and comments. Of customers.
  • STUXNET – A computer virus attack suspected of being directed by the US and Israeli governments to prevent Iran from building nuclear weapons. It is considered the cybernetic weapon of the first world.

WAYS TO ADDRESS A ZERO-DAY ATTACK

The best way to prevent any cyber attack in the first place is to maintain a good firewall and up-to-date antivirus. Ensures the server security.

  • A web application firewall (WAP) it is the first line of defense in network security. It forms a barrier between the trusted internal network and the external network, such as the Internet. Inspection of incoming and outgoing traffic can identify and block threats.
  • computer security assessment it also plays an important role in network security. Network security tests can help improve the overall security of your networks by:
  1. Constantly identify threats to networks.
  2. Security access control check.
  3. Network-based intrusion analysis.
  • Apply patches as soon as they are available to correct vulnerabilities. They can also help fix previous vulnerabilities by providing updated software.

Additionally, since zero-day vulnerabilities are intimidating enough to be considered a high-priority threat, performing VAPT to be able to help. VAPT thoroughly analyzes a network to detect all exploitable vulnerabilities present in it. It is a foolproof way to ensure the security of your organization’s IT infrastructure.

CYBERSECURITY WITH KRATIKAL

As a CERT-In spliced company, Kratikal strongly hopes for a world free of cybercrime. For the security of your systems, we offer the complete set of Vulnerability Assessment and Penetration Testing (VAPT) services like web application security testing, network security testing, medical security testing and many more. These testing services identify all security vulnerabilities in a system to protect it from potential social engineering attacks.

As a new day arrives, so does the report of a new zero-day vulnerability attack. It has become a big enough problem to deserve the full attention of vendors and hackers alike.

Vulnerabilities in a system are inevitable, but don’t get discouraged.

Where there is a problem, there is always a solution hidden somewhere below!

What do you suggest to address zero-day vulnerabilities? Comment below!

The charge TYPE CONFUSION: THE NEW ZERO-DAY VULNERABILITY AFFECTING GOOGLE CHROME first appeared in Kratikal blogs.

*** This is a syndicated Security Bloggers Network blog from Kratikal blogs written by Deepti Sachdeva. Read the original post at: https://www.kratikal.com/blog/type-confusion-the-new-zero-day-vulnerability-plaguing-googles-chrome/

About the author

ga_dahmani

Leave a Comment