Chrome users on Windows, macOS, and Linux have received an urgent upgrade notice from Google. A vulnerability in Google Chrome and Microsoft Edge is known as CVE-2022-1096 has prompted Google to issue a warning advising users to update to the most recent version. The warning comes after the discovery of a zero-day hack (meaning the breach was known to hackers before the vulnerability is patched) was uncovered, which Google says is currently “out in the open”. Anyone who does not install the most recent security update is at risk.
Google is keeping quiet about any specific details, presumably because of the potential for widespread damage from the hack. The problem, though, is with Chrome’s V8 component, an open-source JavaScript engine, and the threat level is “high,” according to the company. The attack, according to media outlet Bleeping Computer, allows hackers to launch destructive commands on target machines. As a result, the US Cybersecurity and Infrastructure Security Agency (CISA) has issued an order for federal personnel to update to the current version of the software within the next three weeks in order to patch the vulnerability. It’s now in their Catalog of Known Exploited Vulnerabilities.
The US Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal civilian entities to patch a Google Chome zero-day and a severe Redis vulnerability, both of which are being actively exploited in the wild, within the next three weeks. The Chrome zero-day security flaw (recorded as CVE-2022-1096) is a high severity type confusion weakness in the Chrome V8 JavaScript engine, according to a Google advisory published on Friday. It could allow threat actors to execute arbitrary code on targeted devices.
After a proof-of-concept (POC) exploit was publicly revealed on March 10th, the Muhstik malware gang developed a specialized spreader exploit for the Redis Lua sandbox escape vulnerability (recorded as CVE-2022-0543). Federal Civilian Executive Branch Agencies (FCEB) must safeguard their systems against these vulnerabilities, according to a binding operational directive (BOD 22-01) issued in November, with CISA giving them until April 18th to patch.
The US cybersecurity organization noted, “These types of vulnerabilities are a common attack vector for malevolent cyber actors of all types and represent a significant danger to the government enterprise.” CISA today added 30 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence that they have been exploited in the open.