For the second time this year, Google is releasing a security patch for Chrome, with the aim of closing a zero-day flaw (CVE-2022-1096) actively used by hackers. This time it is a bug in the browser’s V8 JavaScript engine. The vulnerability is of the “type confusion” type, which means that a variable or an object can access memory under a different type than originally intended. Which can lead to memory buffer overflows, and thus arbitrary code executions. However, Google does not give any other technical details.
Also see video:
Last February, Google had already patched a zero-day flaw (CVE-2022-0609) in Chrome’s “Animation” module. As stated by one report published a few days ago, this vulnerability was used by two suspected North Korean hacker groups. The first, baptized “Operation Dream Job”, sent false recruitment announcements to 250 people in a dozen American companies: media, hosts, domain name registrars, software publishers.
The second group, “Operation AppleJuice”, disseminated links to fake sites talking about cryptocurrency. It targeted 85 people working in this economic sector. Unfortunately, Google was only able to analyze the malware dedicated to the initial compromise. It is therefore not known what the objectives of these attacks were.
Source : google