Google Chrome patches mysterious new zero-day bug – update now – Naked Security | #computerhacking | #hacking


Last time we reported on a Chrome zero-day flaw was back in February 2022.

Back then, Google noted that the Chrome browser – and, by implication, all other browsers based on the Chromium-project code and its underlying Blink rendering engine – had been patched against a range of memory mismanagement bugs that were potentially exploitable for remote code execution (RCE).

In the browser world, RCE vulnerabilities, if successfully abused, often mean that merely viewing a web page containing booby-trapped content could leave you with uninvited, unapproved program code implanted onto your computer – an active malware infection, to put it bluntly.

(Note that we used the word could above, not will, given that browser exploits are often fickle flaws that are unreliable even when used deliberately in anger, perhaps leaving you with a crashed browser but an otherwise unharmed computer.)

Anyway, back in February 2022, none of the bugs listed by Goole got a truly dangerous rating of “Critical” (they maxxed out at the level “High”), but one of them, dubbed CVE-2022-0609, was nevertheless accompanied by the admittedly rather vague words: “Google is aware of reports that an exploit for CVE-2022-0609 exists in the wild.”

Saying that someone’s told you that a working exploit exists is not the same as admitting that you’ve actually seen the exploit yourself, of course, and that, in turn, means that you can only assume that the patch you’ve just created really does prevent any alleged “in-the-wild” attacks.

Indeed, in the case of CVE-2022-0609, Google’s Threat Analysis Group needed until late in March 2022 to follow up with a detailed report.

In that report, Google’s researchers claimed they’d tracked the first use of this exploit right back to the start of January 2022, and suggested that it had been abused by two different North Korean hacking groups.