Why Organizations Need to Patch a Critical Zero-Day in Chrome
Emergency update released to address CVE-2022-1096 as reports swirl of exploitation
Another week, another critical zero-day vulnerability to patch. This time it’s an emergency update issued by Google for a flaw that could allow attackers to run arbitrary code on victim machines. It’s been found in both Chrome and Microsoft’s Chromium-based Edge products. Given the popularity of these browsers, it’s likely that most organizations will need to take action.
Fortunately, Tanium enables customers to find, remediate and track the vulnerability at speed and scale across their entire endpoint estate.
What is CVE-2022-1096?
Reported anonymously, the vulnerability itself (CVE-2022-1096) is described as “Type Confusion in V8”—the JavaScript engine used in Chrome. According to Microsoft, type confusion bugs occur when “a piece of code doesn’t verify the type of object that is passed to it and uses it blindly without type-checking.” This can sometimes lead to code execution inside an affected application.
According to reports, the bug is being exploited in at least one phishing campaign targeting individuals in the crypto space, using Discord as an initial vector.
Why should you care?
Google claimed in its emergency notice that CVE-2022-1096 is already being actively exploited in the wild, hence its rapidity in issuing the update. The patch was said to have been published within two days of being reported. The firm also thought it serious enough to issue a standalone update to the browser (99.0.4844.84) for this single issue, rather than wait to fold several fixes into the release, as is usually the case. That hints at its criticality. Microsoft has also released an updated version of its Edge browser (99.0.1150.55) to mitigate the threat.
Another indication of the vulnerability’s seriousness is that is has been added to the Known Exploited Bug Catalog maintained by the US Cybersecurity & Infrastructure Security Agency (CISA). The agency has demanded all civilian federal government agencies patch the flaw by April 18. Although the catalog applies specifically to government entities, CISA has in the past urged all organizations to prioritize mitigation of the vulnerabilities it lists, which are now several hundred in number.
How Tanium can help
Automatic Google and Edge updates will roll out in the coming days or weeks. But many organizations will want to tackle the issue in a more proactive manner, especially if the bug is being actively exploited by threat actors. Fortunately, Tanium has several tools that can help customers quickly and easily find where it exists across their estate, remediate and then track the vulnerability.
Here’s a quick rundown:
Tanium Comply is recommended for checking where the vulnerability is. The product is designed to identify vulnerability and compliance exposures within minutes, even across widely distributed infrastructure.
Tanium Interact can also be used to search for instances of CVE-2022-1096 across the enterprise. It allows IT teams to ask questions of their endpoints in plain English and receive rapid and comprehensive answers.
Tanium Deploy is your go-to tool to rapidly install, update and remove software from across the enterprise. So once you have identified where CVE-2022-1096 is, Deploy can be used to remediate.
Given the dynamic nature of today’s endpoint environments, consider Tanium Asset and Tanium Trends for ongoing tracking. Tanium Asset delivers a comprehensive inventory of hardware and software assets, while Tanium Trends provides continuous insight into security metrics and operational health.
Please read this article for more information from our Tanium Community on how to use these products to find, patch and track CVE-2022-1096. And for information to help with similar vulnerabilities, visit our Emerging Issues Blog.