The Cybersecurity and Infrastructure Security Agency (CISA) has added an additional security vulnerability to its list of bugs known to be exploited in attacks.

On Friday, the flaw (tracked as CVE-2022-4262) was patched as an actively exploited zero-day bug in the Google Chrome web browser for Windows, Mac, and Linux users.

In a security advisory released just before the weekend, Google said it “is aware of reports that an exploit for CVE-2022-4262 exists in the wild.”

This is the ninth wild-exploited zero-day Chrome that Google has patched since the start of the year.

The bug is caused by a high-severity confusing weakness in the Chromium V8 JavaScript engine reported by Clément Lecigne of Google’s Threat Analysis Group.

Although type confusion flaws typically lead to browser crashes after successful exploitation by reading or writing memory out of buffer bounds, attackers can also exploit them to execute arbitrary code.

Although the company said it detected attacks exploiting this zero day, it has not yet shared any technical details or information regarding these incidents that may allow the security update to roll out to all affected systems. and to give users enough time to update their browsers before more. attackers are developing their own CVE-2022-4262 exploits.

Federal agencies ordered to patch within the next three weeks

According to a November 2021 Binding Operational Directive (BOD 22-01)all Federal Civilian Executive Branch (FCEB) agencies are now required to patch their systems against this bug according to the schedule provided by CISA.

They had three weeks, until December 26, to patch all vulnerable Chrome installations on their systems to ensure that ongoing exploit attempts would be blocked.

Although BOD 22-01 only applies to US FCEB agencies, the cybersecurity agency DHS strongly encouraged all US private and public sector organizations to prioritize fixing this actively exploited bug.

Taking this advice to heart would help reduce the attack surface that threat actors can exploit to attempt to break into agency networks.

“These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose a significant risk to the federal enterprise,” the US Cyber ​​Security Agency said. Explain.

Since the release of the binding directive, CISA has added hundreds of security bugs to its catalog of known exploited vulnerabilitiesdirecting US federal agencies to patch them as soon as possible to block potential security vulnerabilities.


Source link