Otto background

6th Zero-Day in Chrome – Mojo Vulnerability

On Friday, September 2nd, Google disclosed CVE-2022-3075 to the public. This vulnerability is being actively exploited in the wild and should be a priority to patch for all organizations.

CVE-2022-3075 marks Chrome's 6th zero-day of 2022

The vulnerability, shared by Google, is found in Windows, Mac, and Linux builds of the Chrome browser. It is an insufficient data validation vulnerability in Mojo.

Mojo is a collection of runtime libraries providing abstraction of common IPC primitives, message IDL formatting, and bindings libraries with code generation for multiple languages to facilitate message passing across inter- and intra-process boundaries. This makes Mojo a critical set of libraries used by Chromium, the codebase on which Google Chrome and many other applications are built.

An improper data validation vulnerability is a type of vulnerability in software in which the application does not validate (or incorrectly validates) the input allowing an attacker to control the flow of data or logic within the application. Adversaries can exploit this vulnerability by persuading a target victim to visit a specially crafted website. Once visited, the attacker can then leverage the vulnerability to bypass security controls or restrictions on the target system.

Recommended remediation

Automox customers can quickly fix this vulnerability by using a “Patch All” policy for Google Chrome. A highly automated policy like this guarantees that you both fix the vulnerability as well as mitigate the most common and highest risk applications should they be exposed to a critical or zero-day vulnerability.

We recommend you set up these policies on a recurring schedule to capture future patches. Doing so will help you deploy these new updates as soon as they’re available. If you haven’t already, you can automate Chrome patching here.

6 Chrome vulnerabilities in 2022 alone

This is the sixth zero-day Google has patched in Chrome under active attack this year. Here are the five others:

  1. February witnessed CVE-2022-0609, the first Chrome zero-day of the year. The vulnerability came from a use-after-free flaw in Chrome’s Animation component. Later, word spread that North Korean attackers exploited the vulnerability several weeks before it was even noticed or remediated.

  2. The following month CVE-2022-1096 surfaced. Though quickly patched, it presented another type-confusion issue in V8.

  3. In April, Google patched CVE-2022-1364 – a type confusion flaw affecting Chrome’s use of the V8 JavaScript engine on which attackers already had pounced.

  4. Then in May, CVE-2022-2294 presented itself as a buffer overflow flaw Google had to patch. And last month, Google patched an actively exploited heap buffer overflow flaw in WebRTC, also tracked as CVE-2022-2294.

  5. And in August, CVE-2022-2856 popped up. This was also an insufficient data validation for untrusted input in Intents vulnerability in the Chrome Intents URI scheme.

Automox for Easy IT Operations

Automox is the cloud-native IT operations platform for modern organizations. It makes it easy to keep every endpoint automatically configured, patched, and secured – anywhere in the world. With the push of a button, IT admins can fix critical vulnerabilities faster, slash cost and complexity, and win back hours in their day.

Grab your free trial of Automox and join thousands of companies transforming IT operations into a strategic business driver.

Dive deeper into this topic