Google Addresses Fifth Actively Exploited Chrome Zero-Day of the Year with Critical Security Update

Google has officially released a critical security update for the Chrome desktop browser to address a series of vulnerabilities, including a high-severity zero-day bug that is currently being exploited in the wild. The update, which brings the browser to version 104.0.5112.101 for macOS and Linux and 104.0.5112.102/101 for Windows, contains 11 security fixes designed to fortify the world’s most popular web browser against sophisticated cyberattacks. This latest patch marks the fifth time in 2022 that Google has been forced to issue an emergency fix for a vulnerability that threat actors had already discovered and utilized before a solution was available.

The primary focus of this security advisory is the vulnerability tracked as CVE-2022-2856. Rated as "High" on the Common Vulnerability Scoring System (CVSS), the flaw is described as "insufficient validation of untrusted input in Intents." The discovery of this exploit is credited to Ashley Shen and Christian Resell of the Google Threat Analysis Group (TAG), a specialized team within Google dedicated to tracking and countering state-sponsored and high-level hacking operations. The involvement of TAG often suggests that the vulnerability may have been utilized by advanced persistent threat (APT) groups, although Google has not yet released specific details regarding the identity of the attackers or the scope of the ongoing campaign.

Understanding the Technical Nature of CVE-2022-2856

To understand the gravity of CVE-2022-2856, one must look at the "Intents" system within the Chromium architecture. Intents are a fundamental feature in the Android ecosystem and the Chrome browser that facilitate deep linking and inter-application communication. Historically, mobile and desktop browsers used URI (Uniform Resource Identifier) schemes to launch external applications. For example, clicking a "mailto:" link would trigger a user’s default email client. However, as mobile ecosystems evolved, Google introduced Chrome Intents to provide a more robust and secure method for web pages to trigger specific actions within installed apps.

The Intent system adds a layer of complexity by allowing a web developer to define specific instructions that the browser should follow if a certain app is not installed—such as redirecting the user to the Google Play Store or a specific landing page. While this improves user experience, it also introduces a broader attack surface. In the case of CVE-2022-2856, the "insufficient validation of untrusted input" means that the browser fails to properly scrutinize the data sent via these Intent strings.

When a software component fails to validate input correctly, it opens the door for an attacker to craft a malicious string that the system does not expect. According to the MITRE Corporation’s Common Weakness Enumeration (CWE) database, specifically CWE-20, improper input validation can lead to several catastrophic outcomes. If the application processes the malformed input as a command or a memory address, it can result in altered control flow, unauthorized access to system resources, or the execution of arbitrary code. In the context of a web browser, arbitrary code execution (ACE) is a "holy grail" for hackers, as it allows them to bypass security boundaries and run malicious software directly on a victim’s machine without their knowledge.

A Chronology of Chrome Zero-Days in 2022

The patching of CVE-2022-2856 is part of a broader trend of increasing zero-day discoveries in 2022. The browser has become a primary target for attackers because it serves as the gateway to both personal and corporate data. This latest fix represents the fifth successful exploitation of a previously unknown Chrome flaw this year.

The 2022 zero-day timeline for Google Chrome highlights a persistent struggle between security researchers and threat actors:

1. February 2022 (CVE-2022-0609): The first zero-day of the year was a "use-after-free" vulnerability in Chrome’s Animation component. Google later revealed that this flaw was being actively exploited by North Korean state-sponsored hacking groups in a campaign targeting news media, IT companies, and fintech organizations.
2. March 2022 (CVE-2022-1096): This vulnerability involved "Type Confusion" in the V8 JavaScript engine. V8 is the high-performance open-source engine developed by Google that handles JavaScript and WebAssembly. Type confusion occurs when the engine processes data as one type (e.g., an integer) when it is actually another (e.g., a pointer), leading to memory corruption.
3. April 2022 (CVE-2022-1364): Another "Type Confusion" bug in the V8 engine was discovered under active attack, requiring a rapid out-of-band update just weeks after the March patch.
4. July 2022 (CVE-2022-2294): This flaw was a "Heap Buffer Overflow" in WebRTC (Web Real-Time Communication), the engine that enables voice, video, and generic data to be sent between peers without needing plugins. This was particularly significant as WebRTC is used across various platforms, including mobile and desktop versions of several browsers.
5. August 2022 (CVE-2022-2856): The current vulnerability involving insufficient validation in Intents, bringing the year-to-date total to five.

Additional Vulnerabilities Addressed in the Update

While the zero-day exploit has garnered the most attention, the Wednesday update also addressed ten other security issues, one of which was rated as "Critical." CVE-2022-2852 is a use-after-free vulnerability in the Federated Credential Management (FedCM) API. FedCM is a privacy-preserving API designed to facilitate federated identity flows—such as "Sign in with Google"—without the privacy risks associated with third-party cookies.

Use-after-free (UAF) vulnerabilities are a class of memory corruption bugs that occur when a program continues to use a pointer after the memory it points to has been cleared or reallocated. This can allow an attacker to inject malicious data into that memory space, which the program then executes as legitimate code. The discovery of this critical bug is credited to Sergei Glazunov of Google Project Zero, highlighting the effectiveness of Google’s internal security audits.

Other patches in this release included fixes for heap buffer overflows in the Downloads component, use-after-free bugs in the "Omnibox" (the address bar), and various issues in the "TFLite" and "Blink" components.

The Strategy of Information Redaction

Google’s policy of withholding technical specifics about zero-day exploits is a deliberate security strategy. In the official release notes, the company stated, "Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven’t yet fixed."

Satnam Narang, a senior staff research engineer at the cybersecurity firm Tenable, emphasizes the necessity of this "buffer period." According to Narang, publicizing the exact mechanics of a zero-day at the moment of the patch would essentially provide a roadmap for other attackers to develop their own exploits before the general public has had a chance to update their systems.

"Attackers are champing at the bit to exploit these types of flaws," Narang noted. "It takes time for security updates to propagate across hundreds of millions of devices. By holding back the details, Google provides defenders with a crucial window of opportunity to secure their environments."

Furthermore, because Chrome is built on the open-source Chromium Project, these vulnerabilities often extend to other browsers such as Microsoft Edge, Brave, Vivaldi, and Opera. A detailed exploit for Chrome could easily be adapted to target users of these other browsers, making the synchronized release of patches and the temporary suppression of technical data vital for the entire internet ecosystem.

Broader Implications for the Cybersecurity Landscape

The frequency of Chrome zero-days reflects a shift in the cyber threat landscape. As traditional operating systems become more hardened, attackers have moved up the stack to the application layer. The browser is now an operating system in its own right, handling complex tasks ranging from video conferencing to financial transactions. This complexity, while beneficial for the user, creates a massive codebase where vulnerabilities are inevitable.

Data from security firms indicates that 2021 was a record-breaking year for zero-day exploits, and 2022 is on track to maintain that high volume. The rapid response from Google’s Threat Analysis Group and Project Zero underscores the importance of proactive threat hunting. However, it also serves as a reminder to individual users and enterprise IT administrators that software updates are not merely for new features—they are the front line of defense against organized cybercrime and espionage.

For organizations, the discovery of CVE-2022-2856 highlights the risks associated with "untrusted input." Security professionals recommend implementing strict input validation protocols across all internal software development projects, as flaws like these remain the most common entry point for data breaches.

Recommended Actions for Users

Google has begun rolling out the update globally. For most users, Chrome will update automatically upon restarting the browser. However, given the active exploitation of CVE-2022-2856, security experts recommend that users manually verify they are running the latest version.

To update Chrome, users should:

1. Open the Chrome browser.
2. Click on the three vertical dots in the top-right corner to open the menu.
3. Navigate to "Help" and then "About Google Chrome."
4. The browser will automatically check for updates and download the latest version.
5. Click "Relaunch" to apply the security patches.

By ensuring that the browser is updated to version 104.0.5112.101/102 or higher, users can effectively neutralize the threat posed by this latest zero-day and protect their systems from arbitrary code execution and other memory-based attacks. As threat actors continue to refine their methods, the speed of patching remains the most effective tool for the average internet user to stay safe online.