Google releases patch for zero-day Chrome vulnerability

SECURITY

Google LLC has begun rolling out a patch for a high-severity security vulnerability that affects the desktop version of its Chrome browser.

The company disclosed the move in a Thursday blog post. The vulnerability, which is tracked as CVE-2022-4135, affects the Windows, Mac and Linux editions of Chrome. Google stated that the patch will roll out over the coming days and weeks.

“Google is aware that an exploit for CVE-2022-4135 exists in the wild,” the company stated in the blog post. The existence of the exploit suggests that hackers may be targeting vulnerable installations of Chrome.

Researchers measure the severity of software vulnerabilities using an industry-standard framework known as CVSS. According to Google, the severity of CVE-2022-4135 is ranked as High under the CVSS framework. That’s the second-highest severity ranking a vulnerability can receive after Critical. 

CVE-2022-4135 affects a component of Chrome that is known as the renderer process. When a user visits a web page, Chrome downloads the page in the form of a collection of code files. Chrome’s renderer process is responsible for turning the code files into a functioning webpage that the user can interact with.

For cybersecurity reasons, Google’s browser runs each web page in a so-called sandbox. The sandbox blocks the code in a page from accessing key components of the user’s operating system. According to Google, this makes it more difficult for malicious code to gain a foothold on the user’s computer.

CVE-2022-4135, the newly patched vulnerability in Chrome, can potentially allow hackers to bypass Chrome’s sandbox mechanism. Bypassing the mechanism makes it easier for malware to temper with the user’s operating system. According to an explainer released by the National Institute of Standards and Technology, hackers can target CVE-2022-4135 using malicious web pages.

The vulnerability opens the door to cyberattacks because it enables hackers to create a phenomenon known as a heap buffer overflow.

Programs such as Chrome store both their code and the data they process on the memory of the user’s computer. The memory used by a program while it’s running is divided into sections known as buffers. One buffer might contain a part of Chrome’s source code, while another may contain a portion of the web page the user has opened. 

A buffer overflow occurs when more data is written to a buffer than it can accommodate. The excess data is written to other buffers, overwriting the information they contain. Hackers can use this phenomenon to overwrite parts of a program with malicious code.

Google’s patch for the buffer overflow flaw in Chrome is rolling out about three months after the company fixed another high-severity vulnerability that affected the browser. According to Google, the latter vulnerability was discovered in one of Chrome’s runtime libraries. A runtime library is a piece of software on which another program depends to work. 

Image: Google