Google Patches Fifth Actively Exploited Zero-Day Flaw in Chrome This Year

pcmag.com:

Get ready to patch. Google has uncovered hackers exploiting a previously unknown Chrome browser flaw.

The company mentioned the “zero-day exploit” in the latest patches for Chrome, which were released on Tuesday. Google detected the high-severity flaw with the help of its own security researchers. 

The flaw has been given the designation ​​CVE-2022-2856(Opens in a new window), but the company is remaining mum on details. For now, Google has only described the exploit as involving “insufficient validation of untrusted input in Intents.” 

These intents(Opens in a new window) can allow a web page to access and run a third-party app over the browser session. Hence, there's a good chance hackers are using the zero-day exploit to serve up malicious apps through a web page or phishing email.

CVE-2022-2856 marks the fifth time this year Google has patched an actively exploited flaw in the Chrome browser. Last month, Google patched a fourth flaw that security researchers at Avast believe is connected to an Israeli spyware company called Candiru and its attempts to spy on journalists. 

Back in March, Google acknowledged(Opens in a new window) it’s also seen an uptick in actively exploited zero-day flaws across the industry, particularly with the Chrome browser.

The company says one reason is because the security industry and Google have become better at uncovering zero-day attacks targeting users. At the same time, elite hackers are probably prioritizing finding ways to exploit Chrome, given the browser’s popularity.

Another factor is that "browsers increasingly mirror the complexity of operating systems—providing access to your peripherals, filesystem, 3D rendering, GPUs—and more complexity means more bugs,” Google says.

The