Threat Watch

CISA Order Agencies to Patch Google Chrome Vulnerability

A Google Chrome vulnerability found on December 2nd has been added to a list of actively exploited vulnerabilities by the Cybersecurity and Infrastructure Security Agency (CISA). The vulnerability is tracked as CVE-2022-4262 and has been reported as an actively exploited zero-day bug in the Google Chrome browser for Windows, Mac, and Linux users.  The bug is caused by a high-severity type confusion weakness in the Chromium V8 JavaScript engine reported by Clement Lecigne of Google’s Threat Analysis Group. The company has yet to release technical details on this issue, likely waiting for the patch to be rolled out with enough time for affected parties to update. According to CISA, all Federal Civilian Executive Branch Agencies must patch their systems before December 26th.

ANALYST NOTES

This is the ninth high severity bug for which Chrome has released a patch during 2022. CISA has given three weeks to its agencies to patch their systems. Because of this timeline, it is likely we will not see technical details of this vulnerability until after this date. It is highly recommended that any organization with users running Google Chrome should use CISA’s requirements as a guideline for themselves, and endeavor to have all systems updated as soon as feasible within an organization’s risk and vulnerability management frameworks.

https://www.bleepingcomputer.com/news/security/cisa-orders-agencies-to-patch-exploited-google-chrome-bug-by-dec-26th/