One of the 11 bugs fixed this week in an update might have allowed arbitrary code execution and is now being exploited. It was a weakness in the input validation process. As part of a series of changes contained in a stable channel update made available on Wednesday, Google has corrected the fifth actively exploited zero-day vulnerability found in Chrome this year.
According to the alert published by Google, the flaw, identified as CVE-2022-2856 and classified as high on the Common Vulnerability Scoring System (CVSS), is related to “insufficient validation of untrusted input in Intents.”
The Google Threat Analysis Group (TAGAshley )’s Shen and Christian Resell are credited with discovering the July 19 zero-day issue that might lead to arbitrary code execution. In addition, the advisory released 10 more patches for various One of the updates contained in a stable channel update provided by Google on Wednesday addressed the fifth actively exploited zero-day vulnerability found in Chrome this year.
According to Google’s alert, the flaw is related to “insufficient validation of untrusted input in Intents” and is recorded as CVE-2022-2856. It is also classified as having a high Common Vulnerability Scoring System (CVSS) score The zero-day problem that potentially allows for arbitrary code execution was reported on July 19 by Google’s Google Threat Analysis Group (TAG), and the company thanks Ashley Shen and Christian Resell for doing so. Moreover, the advisory introduced 10 additional patches for various
Google has patched the fifth actively exploited zero-day vulnerability discovered in Chrome this year as one in a series of fixes included in a stable channel update released Wednesday.#cybersecurityhttps://t.co/TqyfKiqTnM
— Cyber Tzar (@cybertzar) August 19, 2022
Branch, a business that provides numerous connection alternatives for mobile applications, claims that the deep linking capability on the Android device within the Chrome browser has replaced URI schemes, which previously handled this process.
According to the company’s website, “developers need to use their intent string as stated in this document in Chrome instead of a setting window. location or an iframe. src to the URI scheme.” The post claims that while intent “adds complexity,” it “automatically addresses the issue of the mobile app not being deployed.”
According to MITRE’s Common Weakness, input validation, a frequently used method for ensuring that potentially hazardous inputs are acceptable for processing within the code or when interfacing with other components, has insufficient validation.
According to a post on the website, “When software does not correctly validate input, an attacker is able to create the input in a manner that is not expected by the remainder of the application.” This will result in the system’s components getting undesired input, which could change how control is distributed or allow unauthorized code execution or resource control.
As is customary, Google withheld the specifics of the flaw until it had been widely patched, a precautionary measure that one security expert deemed sensible in order to prevent threat actors from exploiting it further.
According to Satnam Narang, senior staff research engineer at cybersecurity company Tenable, “publicizing details on an actively exploited zero-day vulnerability just as a patch becomes available could have dire consequences, because it takes time to roll out security updates to vulnerable systems and attackers are champing at the bit to exploit these types of flaws.” With other Linux distributions and browsers, like Microsoft Edge, including technology based on the Chromium Project, it makes sense to withhold information.