Google, working with a variety of external security researchers, announced today that they have patched 11 security issues in their latest Stable Channel Update for Desktop (Chrome supports a number of different release channels to slowly roll out updates to users. Most users are on the “Stable Channel” and it’s updated every 2-3 weeks for minor releases and every 4 weeks for major releases).
Below you’ll find a few of the highlighted patches:
- Critical CVE-2022-2852: Use after free in FedCM. Reported on 2022-08-02
- High CVE-2022-2858: Use after free in Sign-In Flow. Reported on 2022-07-05
- High CVE-2022-2856: Insufficient validation of untrusted input in Intents. Reported on 2022-07-19
- Medium CVE-2022-2859: Use after free in Chrome OS Shell. Reported on 2022-06-22
It should be noted that Google is aware of an exploit for CVE-2022-2856 that exists in the wild.
What does this mean for my company?
Well, do you use Google Chrome? If so, the exploit may lead to your organization being victimized through various forms of cybercrime.
Hacking specific vulnerabilities is quite easy for bad actors, which contributes to the significant risk factor. An “exploit” is when information about how a vulnerability can be hacked is revealed. Once that exploit is published and begins circulating through a variety of mediums, that is when it’s considered an “exploit in the wild.”
How do I prevent an attack?
The industry standard is to wait until a patch is released and then patch the vulnerabilities.
Google says “if Chrome is reminding you to update, please do! If you’re an enterprise IT professional, keep your users up-to-date by keeping auto-update on, and familiarize yourself with the added enterprise policies and controls that you can apply to Chrome within your organization. We strongly advise not focusing on zero-days (unknown vulnerabilities) when making decisions about updates, but instead assuming any Chrome security bug is under exploitation as an n-day (known vulnerabilities).
This basically means your organization is at risk until Google can patch the vulnerability and send out an update, which then you have to hurriedly apply to your entire organization EVERY TIME there is a vulnerability.
The answer is Seraphic!
This is where Seraphic is revolutionizing cyber security, starting with the browser. Seraphic stops attacks that take advantage of weaknesses in the browser.
Our approach to exploit prevention is different – it is not based on any detection technique – Seraphic creates unpredictability by adding an abstraction layer on top of the JavaScript Engine (JSE) that prevents the exploitation of the JSE. This reduces the need to patch your browsers after every new vulnerability patch is published.
So again, Seraphic does not try to detect but assumes that all code received by the browser from any source even from the most trusted domain is malicious. Our patent-pending “Chaos Engine” makes the JSE environment unpredictable and thus unexploitable while valid code is executed normally.
Other security products will recommend “fast patching” as the remedy, but with Seraphic, your organization can safely use previous versions of your browser, without rushing to upgrade every time a new vulnerability is published.
Our goal is for you to stay productive and make changes when you’re ready, after making the necessary tests, while staying safe. Seraphic’s protection doesn’t rely on prior knowledge or existing browser capabilities to prevent attacks against the user or against the browser.
