CVE-2022-3723: Google Chrome 0-day Vulnerability

by do son · Published October 28, 2022 · Updated October 29, 2022

Google released a security bulletin to reveal the high vulnerability, which is a major security threat to Type Confusion in V8. To ensure security, Google has released an emergency security update to fix this vulnerability, the corresponding version number is Google Chrome 107.0.5304.87 for Mac and Linux and 107.0.5304.87/.88 for Windows.

The security vulnerability, tracked as CVE-2022-3723, was submitted by Jan Vojtěšek, Milánek, and Przemek Gmerek of Avast on 2022-10-25. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.

According to Google, “Google is aware of reports that an exploit for CVE-2022-3723 exists in the wild.“ At present, it is only known that this vulnerability is a Type Confusion in V8. According to MITRE’s Common Weakness Enumeration, Type confusion errors arise when”The program allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.” Type Confusion bug allows an attacker to perform out-of-bounds memory access.

Based on security considerations, Google will only disclose the full details of the vulnerability after most users update. Often such vulnerabilities can be used to execute arbitrary code or escape the browser’s security sandbox, and interested researchers can wait for subsequent Google disclosures.

“Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed,” the company wrote.

Users of Google Chrome can go to the About page of the settings, where they can see the current version number and can automatically check the latest version. If the user deploys the online installation package, it can be updated automatically. If the user deploys the offline installation package, the user needs to manually download the new version to upgrade.

With this release, Google has issued security updates to address the seventh Chrome zero-day patch since the start of the year. The previous six zero-day vulnerabilities found and patched in 2022 are: