Upcoming Virtual Event: Cloud Security Summit | July 17 - Register Now
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Federal Agencies Instructed to Patch New Chrome Zero-Day

The US Cybersecurity and Infrastructure Security Agency (CISA) has warned federal agencies about an actively exploited zero-day vulnerability in Google’s Chrome browser.

The US Cybersecurity and Infrastructure Security Agency (CISA) has warned federal agencies about an actively exploited zero-day vulnerability in Google’s Chrome browser.

Tracked as CVE-2022-1096, the high-severity security hole was identified in Chrome’s V8 JavaScript engine and impacts all Chromium-based browsers.

Google issued an emergency fix for this bug on Friday, and Microsoft followed suit the next day, updating its Chromium-based Edge browser.

CISA has added the zero-day to its Known Exploited Vulnerabilities Catalog alongside 31 other bugs, including a high-severity Redis Server flaw now exploited in botnet attacks.

Tracked as CVE-2022-0543, the issue is described as a Redis Lua sandbox escape and remote code execution vulnerability that exists because the Lua library in some Debian/Ubuntu packages is delivered as a dynamic library.

[ READ: CISA’s ‘Must Patch’ List Puts Spotlight on Vulnerability Management Processes ]

Researchers at network services provider Juniper say that the Muhstik malware has been exploiting the vulnerability in attacks since March 11. Previously, the botnet’s operators were observed targeting Confluence server, Log4j, and Oracle WebLogic vulnerabilities.

While several of the other vulnerabilities that CISA has just added to its Must Patch list were resolved in 2021, the remaining are older bugs, some addressed a decade ago.

Advertisement. Scroll to continue reading.

CISA is giving federal agencies three weeks (until April 18) to apply patches for these vulnerabilities. However, the agency told SecurityWeek earlier this year that those who fail to meet the deadlines are not penalized. Instead, CISA provides assistance to organizations that cannot meet the deadlines.

The Known Exploited Vulnerabilities Catalog is primarily for federal agencies, but organizations of all types are encouraged to use it to improve their patching operations.

Related: CISA Adds 66 Vulnerabilities to ‘Must Patch’ List

Related: CISA Urges Organizations to Patch Recent Firefox Zero-Day

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Craig Boundy has left Experian to join McAfee as President and CEO.

Forcepoint has promoted Ryan Windham from Chief Customer and Strategy Officer to Chief Executive Officer.

ICS and OT cybersecurity solutions provider TXOne Networks appointed Stephen Driggers as its new CRO.

More People On The Move

Expert Insights