A recently patched Chrome vulnerability that appears to have been exploited by an Israeli spyware company also impacts Microsoft’s Edge and Apple’s Safari web browsers.
Google announced on July 4 that it had released an update for Chrome 103 to patch a zero-day vulnerability tracked as CVE-2022-2294. The flaw has been described as a heap buffer overflow in WebRTC, an open source project designed for adding real-time communication capabilities to browsers and applications.
Cybersecurity company Avast, which informed Google about the vulnerability and its exploitation on July 1, revealed this week that the Chrome zero-day appears to have been exploited in targeted attacks linked to Candiru, an Israeli company that provides surveillance tools to government customers.
In the attacks exploiting CVE-2022-2294, the attacker analyzed compromised devices and only pushed the zero-day exploit to systems that were considered important. Once they gained access to the device, the hackers delivered DevilsTongue, a sophisticated malware that can allow its operators to steal a wide range of data from compromised systems.
Avast saw attacks being launched against journalists in Lebanon, as well as against targets in Turkey, Yemen and Palestine.
The WebRTC component affected by CVE-2022-2294 is also present in other Chromium-based browsers, such as Microsoft Edge, and it’s also used by Apple in Safari.
Microsoft released an update for Edge on July 6 to patch the vulnerability, and informed customers that the Chromium team had been made aware of an exploit in the wild.
Apple patched the vulnerability in Safari on macOS Big Sur, Catalina and Monterey on Wednesday, but the tech giant did not mention malicious exploitation.
“While the exploit was specifically designed for Chrome on Windows, the vulnerability’s potential was much wider,” Avast said on Thursday. “We do not know if Candiru developed exploits other than the one targeting Chrome on Windows, but it’s possible that they did.”
Sophos has speculated that it’s possible that the bug is not easy to exploit in Safari, or Apple may have not mentioned active exploitation simply because there is no evidence of attacks targeting its browser.
There is no word from Mozilla on whether Firefox is also impacted by CVE-2022-2294. Mozilla did patch some WebRTC-related vulnerabilities in Firefox in the past.