This past week has brought news of another critical Google Chrome zero-day exploit (CVE-2022-1096). This exploit was identified to Google via an anonymous tip on 23 March 2022. It affects Windows, Mac, and Linux operating systems. Google has since produced a patch which should be applied immediately to remedy this vulnerability. It can be accessed by upgrading to Chrome version 99.0.4844.84.
Zero-day vulnerabilities are incredibly effective exploits for hackers and other cyber criminals. According to the MIT Technology Review, 2021 broke the record for zero-day hacking attacks. The Zero-day tracking project shows that hackers are continuing to pursue these vulnerabilities in 2022.
What is a Google Chrome Zero-Day Vulnerability?
A zero-day vulnerability is a system weakness that can be used by hackers to launch an attack. These are discovered by malicious actors before vendors are aware of their existence and, therefore, before a fix exists. These flaws can often allow hackers to gain unauthorized access or compromise underlying systems. A zero-day exploit is the method that hackers use to attack systems with these previously unidentified vulnerabilities.
Zero-day exploits get their name from the fact that they are known to the public for zero days. This often means that security professionals and organizations only find out about this vulnerability after an attack has occurred.
Google Chrome is often a target for zero-day attackers because of its popularity. Data from Google’s Project Zero research unit, Chrome is targeted far more often than Firefox, Safari, and Internet Explorer. There is little access to specific bug details about the latest Chrome zero- day as Google is restricting the information until a majority of users have been updated with a fix.
Zero-day Exploits are Valuable to Cyber Criminals
Zero-day exploits may be patched quickly once discovered, however; this requires user vigilance. It is estimated that the average Mean-Time-To-Patch (MTTP) can be anywhere from 60-150 days and attackers welcome these numbers with open arms.
Savvy, opportunistic hackers know very well that there are still a myriad of unprotected systems running vulnerable versions of the Chrome browser. They are aware that updates and patching are always slow in being applied. Counting on this gap in time, attackers will attempt to leverage this critical weakness in hopes of propagating their malicious wares (code).
Zero-Day Means Time is of the Essence
Once vulnerability is discovered in the wild, time is of the essence. Hackers and attackers with malicious intent can seize the window of opportunity between gaining access and being discovered. Vendors are often caught off-guard and must work quickly to understand the vulnerability/exploit to generate a patch.
Attackers can rapidly disseminate their exploits via Internet Relay Chat (IRC) channels or dark web sites. This can mean that a variety of hackers are able to exploit the vulnerability.
These are all prudent examples of exercising due diligence, but still may not be enough protection against zero-day exploits.
Recent Zero-Day Attack Examples
Google is not the only organization facing zero-day threats. Many well-known technology companies have experienced zero-day vulnerabilities and exploits in recent years.
2020: Popular video conferencing platform, Zoom, suffered a zero-day attack which allowed hackers to access a user’s PC remotely if they were running an older version of Windows. If the target was an administrator, the hacker was able to completely take over the machine and access all files.
2020: Apple’s iOS was the victim of at least two zero-day vulnerabilities in 2020 including a bug that allowed attackers to compromise iPhones remotely.
2017: A Microsoft zero-day exploit was leveraged to gain access to personal bank accounts. Victims unwittingly opened a malicious Word document with a “load remote content” prompt. Once victims clicked “yes” the document installed malware on the device which could then capture financial log-in credentials.
Google Chrome’s Latest Zero-Day Vulnerability
As with many zero-day vulnerabilities, details are limited and users should continue to stay vigilant and attentive of developing announcements and security updates.
What if our organization is exploited?
If you suspect your organization, or systems used by your organization, has become the target a zero-day exploit, it is important to follow these steps:
- Inform your IT staff, SOC or your supervisor know right away if you believe or suspect you are infected.
- Systems should be scanned for the weakness/vulnerability as soon as possible.
- Organizations should ensure their anti-virus and other existing preventative controls and software are updated.
- Consider using a VPN in your organizations. Many employees are now working remotely and the use of Virtual Private Networks (VPNs) can be a useful deterrent making it harder for attackers to leverage a browser weakness.
- Continue to educate users via sound and robust security awareness programs and to empower them to report any unusual activity on their systems.
- Consider configuring browsers to automatically apply updates as soon as they are made available by vendors or pushed out to end-users if centrally managed by the organization.
Zero-day threats will continue to arise as hackers work diligently to exploit the systems and services used by organizations and individuals every day. IT professionals can work to secure and protect their organizations by becoming aware of challenges they face and working with a trusted cybersecurity partner to find solutions that fit their needs.
Contact Foresite today to find out more about how we can help defend your organization from the threats posed by zero-day vulnerabilities and other cyber risks through Provision Cybersecurity software, Network Security Monitoring, and much more!
Tristin Zeman is the Digital Marketing Manager at Foresite. For the past 10 years, she has helped organizations of all sizes create and scale marketing programs through digital and traditional marketing channels and efficient marketing operations.