Google Chrome WebRTC Zero-Day Faces Active Exploitation

A zero-day security vulnerability in Google Chrome for Android is being actively exploited in the wild, the Internet giant says.

The issue is a high-severity heap-buffer overflow bug (tracked as CVE-2022-2294) in WebRTC. WebRTC is an HTML5 specification that allows webpages to play real-time audio and video content inside the browser.

"Google is aware that an exploit for CVE-2022-2294 exists in the wild," the company said in its advisory on the issue.

As usual, Google is keeping the vulnerability's technical details close to the vest until a majority of users have updated their browsers, but heap-buffer overflows in general are memory issues that can lead to a range of bad outcomes if exploited. Possible outcomes include crashing the device, denial of service (DoS), remote code execution (RCE), and security-service bypasses.

Patrick Tiquet, vice president of security and architecture at Keeper Security, did some delving into the issue, and says that bug does indeed allow RCE.

"CVE-2022-2294 is a serious vulnerability that could lead to arbitrary remote code-execution by simply visiting a malicious website," he says. "This could enable an attacker to perform a variety of actions on a target system, such as install malware or steal information. Windows and Android Chrome users should ensure that they install the latest updates to protect themselves."

To address the flaw, Google released Chrome 103 (103.0.5060.71) for Android on Monday – it said that the update would be rolling out on Google Play "over the next few days."

The update fixes two other security bugs as well: One is a high-severity type-confusion bug (CVE-2022-2295) in Google's V8 open source JavaScript engine, which earned a $7,500 bug bounty for reporters avaue and Buff3tts at S.S.L.; and the other is an unspecified fix that was discovered internally. Type-confusion issues can also lead to code execution, crashes, and logical efforts.

Tiquet adds, "Web browsers are essential applications that nearly all cloud-based services have in common and are therefore high-priority targets - compromise of a web browser could be leveraged to compromise any cloud-based service accessed by that browser."

Fourth Exploited Chrome Zero-Day Bug in 2022

The WebRTC flaw is the fourth zero-day in Chrome so far this year. Notably, in April Google disclosed a type-confusion vulnerability that is already being exploited in the wild (CVE-2022-1364), which affects the JavaScript and WebAssembly engine in the browser.

Another type-confusion problem in V8 (CVE-2022-1096) was patched in March; and the third was patched in February (CVE-2022-0609), after it was exploited by a North Korean-backed state advanced persistent threat, according to the Google Threat Analysis Group (TAG).

"With so many business and cloud applications depending on a web interface, browser vulnerabilities can be problematic," Mike Parkin, senior technical engineer at Vulcan Cyber, says. "Especially one as widely used as Chrome. It’s even worse when there are known exploits in the wild that leverage the vulnerability. Fortunately, Google has already developed patches for this vulnerability on both desktop and mobile platforms and will have them rolled out quickly."