The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding an active zero-day vulnerability in Google’s Chrome browser. A zero-day vulnerability is a system or device flaw that has been disclosed but is not patched. As they are discovered before security researchers and software developers become aware of them—and before they can issue a patch—zero-day vulnerabilities pose a higher risk to users for the following reasons:

  • Cybercriminals prioritize these vulnerabilities to commit cybercrime
  • Vulnerable systems are completely exposed until the vendor issues a patch.

Zero-day vulnerabilities are typically involved in targeted attacks; however, many campaigns still use old vulnerabilities. This latest flaw is called CVE-2022-1096 and was identified in Chrome’s V8 JavaScript engine. It impacts all Chromium-based browsers, potentially affecting anyone who uses them for personal or commercial purposes.

On Friday, March 25th, Google issued an emergency fix, and Microsoft followed suit the next day, updating its Chromium-based Edge browser. Evidence indicates that the security flaw had already been exploited before the emergency fix was implemented, potentially exposing billions of users to cybercriminals.

Google Threat Analysis Group (TAG) has revealed it believes two threat groups—whose activity have been named Operation Dream Job and Operation AppleJeus, respectively—exploited the flaw as early as Jan. 4. According to a leading member of the TAG Group, they have carried out coordinated campaigns “targeting U.S. based organizations spanning news media, IT, crypto, and fintech industries.”

The latest issue comes just a few weeks after news that the newest Chrome update included 11 security fixes, including 8 with a “high severity rating.” These flaws, which can allow sandbox escape or remote code execution, are mostly used-after-free issues. Google doesn’t typically assign high severity ratings to security vulnerabilities of this type.

The easiest way for users to protect against this latest flaw is to allow Chrome to update their browser. To update: click on Settings > About Chrome > Chrome will confirm if you have the latest version > If not, Chrome will automatically download the update > once downloaded, chrome will prompt the user to restart. Please note - the update cannot be fully installed without restarting the browser.

This latest flaw and the associated security breaches on the most widely used web browser highlight the ever-evolving avenues of attack open to cybercriminals. Protecting businesses by implementing correct cybersecurity protocols and cyber insurance coverage is increasingly necessary for all business types, from small to large. In addition, companies should actively assess their cyber risk profile and protect themselves from residual risk. To start, click here to get a cyber insurance quote in 60 seconds.