Connect with us

Hi, what are you looking for?



Chrome Flaw Exploited by Israeli Spyware Firm Also Impacts Edge, Safari

A recently patched Chrome vulnerability that appears to have been exploited by an Israeli spyware company also impacts Microsoft’s Edge and Apple’s Safari web browsers.

A recently patched Chrome vulnerability that appears to have been exploited by an Israeli spyware company also impacts Microsoft’s Edge and Apple’s Safari web browsers.

Google announced on July 4 that it had released an update for Chrome 103 to patch a zero-day vulnerability tracked as CVE-2022-2294. The flaw has been described as a heap buffer overflow in WebRTC, an open source project designed for adding real-time communication capabilities to browsers and applications.

Cybersecurity company Avast, which informed Google about the vulnerability and its exploitation on July 1, revealed this week that the Chrome zero-day appears to have been exploited in targeted attacks linked to Candiru, an Israeli company that provides surveillance tools to government customers.

In the attacks exploiting CVE-2022-2294, the attacker analyzed compromised devices and only pushed the zero-day exploit to systems that were considered important. Once they gained access to the device, the hackers delivered DevilsTongue, a sophisticated malware that can allow its operators to steal a wide range of data from compromised systems.

Avast saw attacks being launched against journalists in Lebanon, as well as against targets in Turkey, Yemen and Palestine.

The WebRTC component affected by CVE-2022-2294 is also present in other Chromium-based browsers, such as Microsoft Edge, and it’s also used by Apple in Safari.

Microsoft released an update for Edge on July 6 to patch the vulnerability, and informed customers that the Chromium team had been made aware of an exploit in the wild.

Advertisement. Scroll to continue reading.

Apple patched the vulnerability in Safari on macOS Big Sur, Catalina and Monterey on Wednesday, but the tech giant did not mention malicious exploitation.

“While the exploit was specifically designed for Chrome on Windows, the vulnerability’s potential was much wider,” Avast said on Thursday. “We do not know if Candiru developed exploits other than the one targeting Chrome on Windows, but it’s possible that they did.”

Sophos has speculated that it’s possible that the bug is not easy to exploit in Safari, or Apple may have not mentioned active exploitation simply because there is no evidence of attacks targeting its browser.

There is no word from Mozilla on whether Firefox is also impacted by CVE-2022-2294. Mozilla did patch some WebRTC-related vulnerabilities in Firefox in the past.

Related: Google Issues Emergency Fix for Chrome Zero-Day

Related: Emergency Firefox Update Patches Two Actively Exploited Zero-Day Vulnerabilities

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.