Chrome’s Recent Rash of Zero-Days is Only the Beginning
On September 2 of this year, Google had the unenviable task of announcing the sixth Chrome zero-day vulnerability to be exploited in the wild this year alone. According to an official advisory from Google, the critical vulnerability (CVE-2022-3075) was linked to “insufficient data validation” in the Mojo runtime libraries for Chromium — the open-source browser code base that Chrome, Edge, Opera, and many other popular browsers are based on.
The Mojo libraries allow Chrome or any other application that runs on it for multiple functions to carry out inter and intra-process communications. The announcement came just three weeks after another high-profile Chrome vulnerability (CVE-2022-2856) was found exploited in the wild, this one linked to “insufficient validation of untrusted input in Intents,” which allowed for arbitrary code execution and even system takeover when exploited.
Just six weeks before the Intents exploit, another high-severity Chrome vulnerability was found exploited in the wild (CVE-2022-2294), which was described as a heap-buffer overflow in WebRTC. Like the Intents exploit, the WebRTC vulnerability had grievous implications for end users — opening them up to denial-of-service (DOS), remote code execution (RCE), and other types of high-severity attacks.
Chrome Isn’t Alone: The Growing Trend of Browser-Based Attacks
While Google has since released updates to patch all three vulnerabilities, it’s only a matter of time until the next high-severity flaw is found exploited in the wild. The number of zero-day Chrome vulnerabilities found in the wild has increased dramatically over the past few years — skyrocketing from just 2 in 2019, all the way to 14 in 2021. And, although this year’s zero-day race is off to a slower start than last’s, there are still plenty of days left on the calendar.
More importantly, there’s plenty of motivation for malicious actors to unearth and exploit these vulnerabilities. With its newfound role as the enterprise employee’s primary gateway to access and perform work, the web browser has become an increasingly attractive target to the digital ne’er do wells of the world. And they’re having no shortage of success.
According to a recent analysis of the cybersecurity landscape, nearly two thirds of organizations have had a device compromised by a browser-based attack within the past 12 months. And, while Chrome remains the most popular target (by virtue of its 64% market share), it’s far from alone in its struggles with zero-days. In fact, the very same WebRTC exploit used against Chromium browsers (CVE-2022-2294) in July was also leveraged against Safari users.
Source: Google Security Blog March 10, 2022
Complexity Plays a Key Role in Growing Threats
The recent flood of in-the-wild Chrome exploits may be unprecedented, but it’s far from unexpected. Even Google has readily admitted that their recent zero-day woes represent a clear, consistent trend, and not simply an aberration. But, browsers having much larger targets on their backs isn’t the only reason we’re seeing these increases.
In a recent blog post from the Chrome Security Team, author Adrian Taylor recognizes the role of “evolved attacker focus,” but also points out that the growing complexity of web browsers has invited more opportunity for vulnerabilities.
“…there’s simply the fact that software has bugs,” Taylor writes. “Some fraction of those bugs are exploitable. Browsers increasingly mirror the complexity of operating systems — providing access to your peripherals, filesystem, 3D rendering, GPUs — and more complexity means more bugs.”
With the growing centrality of the web browser as a workplace productivity tool, and stiff competition in the space, you can be certain that browsers will continue to innovate and grow in complexity for the foreseeable future.
Red Access Maintains Browsing Security in the Face of Zero-Days
For these reasons, the recent spate of browser-based zero-days will not be slowing down anytime soon. On the contrary, organizations should expect these types of vulnerabilities to be found and exploited in the wild with greater volume and frequency in the months and years to come.
That’s why it’s imperative that organizations shift their focus away from securing the web browser and toward securing the web session — by adding another layer of security to every web session, regardless of whether the user is browsing in Chrome, Safari, or in an application like Dropbox or Slack. With Red Access, your organization is secured against browsing-based threats and exploits before the world’s even become wise to them. With Red Access, you no longer have to fear the “patch gap” or worry as to whether or not all your employees have updated their browsers in the wake of a zero-day.
Red Access is the first SaaS-based secure browsing platform that works to prevent threats across the entire browsing attack surface. This includes browsers, native applications that have web risks or cloud components, chat protocols, and any application that can transfer files, enable chat, or connect to the cloud.
Don’t just take our word for it. Start your free trial of Red Access today.