Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Federal Agencies Instructed to Patch New Chrome Zero-Day

The US Cybersecurity and Infrastructure Security Agency (CISA) has warned federal agencies about an actively exploited zero-day vulnerability in Google’s Chrome browser.

The US Cybersecurity and Infrastructure Security Agency (CISA) has warned federal agencies about an actively exploited zero-day vulnerability in Google’s Chrome browser.

Tracked as CVE-2022-1096, the high-severity security hole was identified in Chrome’s V8 JavaScript engine and impacts all Chromium-based browsers.

Google issued an emergency fix for this bug on Friday, and Microsoft followed suit the next day, updating its Chromium-based Edge browser.

CISA has added the zero-day to its Known Exploited Vulnerabilities Catalog alongside 31 other bugs, including a high-severity Redis Server flaw now exploited in botnet attacks.

Tracked as CVE-2022-0543, the issue is described as a Redis Lua sandbox escape and remote code execution vulnerability that exists because the Lua library in some Debian/Ubuntu packages is delivered as a dynamic library.

[ READ: CISA’s ‘Must Patch’ List Puts Spotlight on Vulnerability Management Processes ]

Researchers at network services provider Juniper say that the Muhstik malware has been exploiting the vulnerability in attacks since March 11. Previously, the botnet’s operators were observed targeting Confluence server, Log4j, and Oracle WebLogic vulnerabilities.

While several of the other vulnerabilities that CISA has just added to its Must Patch list were resolved in 2021, the remaining are older bugs, some addressed a decade ago.

CISA is giving federal agencies three weeks (until April 18) to apply patches for these vulnerabilities. However, the agency told SecurityWeek earlier this year that those who fail to meet the deadlines are not penalized. Instead, CISA provides assistance to organizations that cannot meet the deadlines.

The Known Exploited Vulnerabilities Catalog is primarily for federal agencies, but organizations of all types are encouraged to use it to improve their patching operations.

Related: CISA Adds 66 Vulnerabilities to ‘Must Patch’ List

Related: CISA Urges Organizations to Patch Recent Firefox Zero-Day

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.