The 9th Google Chrome Zero-Day Threat this Year – Again Just Before the Weekend
Last updated on: December 20, 2022
Google has released yet another security update for the Chrome desktop web browser to address a high-severity vulnerability that is being exploited in the wild. This is the ninth Chrome zero-day fixed this year by Google. This security bug (CVE-2022-4262; QID 377804) is a Type Confusion vulnerability in Chrome’s V8 JavaScript Engine.
Google has withheld details about the vulnerability to prevent expanding its malicious exploitation and to allow users time to apply the security updates necessary on their Chrome installations.
Google’s previous zero-days were also released right before a weekend (see Don’t spend another weekend patching Chrome and Don’t Spend Your Holiday Season Patching Chrome).
Organizations respond, but slowly
Analyzing anonymized data from the Qualys data lake, the Qualys Threat Research Unit found for Chrome zero-day vulnerabilities introduced between February and August, more than 90% of these instances were remediated. However, it took 11-21 days to remediate via the Chrome patch. With the frequency of vulnerabilities released in this widely used browser and the fact that browsers, by their nature, are more exposed to external attacks, reducing the MTTR for those Chrome vulnerabilities is critical.
Of the nine Chrome zero-day threats this year, five were introduced just before the weekend on a Thursday or Friday. Organizations that don’t leverage automated patching must spend the weekend or holiday working on the manual, lengthy process of detecting vulnerable devices, preparing the Chrome patch, testing it, and deploying it to affected assets.
| CVE | Release Date | Day of the Week | Vulnerability Remediation Rate |
|---|---|---|---|
| CVE-2022-0609 | 2/14/2022 | Monday | 94% |
| CVE-2022-1096 | 3/25/2022 | Friday | 94% |
| CVE-2022-1364 | 4/14/2022 | Thursday | 93% |
| CVE-2022-2294 | 7/4/2022 | Monday | 93% |
| CVE-2022-2856 | 8/16/2022 | Tuesday | 91% |
| CVE-2022-3075 | 9/2/2022 | Friday | 85% |
| CVE-2022-3723 | 10/27/2022 | Thursday | 65% |
| CVE-2022-4135 | 11/24/2022 | Thursday (Thanksgiving) | 52% |
| CVE-2022-4262 | 12/2/2022 | Friday | NA |
Qualys Patch Management speeds remediation
The Qualys Threat Research Unit has found on average critical vulnerabilities are weaponized in 15.9 days. Significantly reducing MTTR shortens the exposure window and improves an organization’s risk posture.
Qualys Patch Management with Zero-Touch Patching allows organizations to use their Qualys Cloud Agent for vulnerability management and to deploy third-party application patches, including Chrome. If the Qualys Cloud Agent is installed on an asset, customers can patch it, regardless of any other deployed patch solution. By defining a simple zero-touch policy, assets can automatically deploy patches when the vendor releases a new one. If testing patches like Chrome is required before production deployment, automatically setup a zero-touch policy to deploy to a set of test devices before deploying the same tested patches to production devices.
If you are a Qualys customer without Patch Management, a trial can be enabled quickly, leveraging the same agent used with VMDR. This allows you to immediately deploy the Chrome patch to your environment and create those automation jobs to ensure that the next time Google or any other vendor releases a patch, your assets are automatically updated.