CISA Issues Directive To Patch This Exploited Chrome Flaw By December 26
Last week, Google began pushing out an update to its Chrome browser that fixes a critical security vulnerability in the browser’s JavaScript engine. Google noted in its blog post about the update that an exploit for this vulnerability is out in the wild. Then, on Monday, the Cybersecurity and Infrastructure Security Agency (CISA) announced the discovery of evidence that threat actors are actively leveraging this exploit in cyberattacks. The agency accordingly added the exploited Chrome vulnerability to its known exploited vulnerability catalog, giving federal agencies a due date of December 26 to apply Google’s patch to all affected systems.
The vulnerability in question is listed in the National Vulnerability Database (NVD) as CVE-2022-4262 with a high severity score of 8.8 out of 10. A researcher in Google’s Threat Analysis Group discovered the vulnerability at the end of November, prompting Google to develop a fix. While Google has since disclosed the existence of this vulnerability, the company is refraining from providing detailed information about the bug until a majority of users have applied the patch. Google simply describes the vulnerability as a type confusion bug in Chromium’s V8 JavaScript engine.
Now that CISA has listed the vulnerability in its known exploited vulnerabilities catalog, all Federal Civilian Executive Branch (FCEB) agencies are required by Binding Operational Directive (BOD) 22-01 to update all affected machines with Google’s patch. While these agencies have until December 26 to do so, CISA recommends that all organizations not bound by this directive prioritize applying the security patch in a timely manner. We’d also add that individual users should apply the relevant updates on their own devices as well. The chart below shows various Chromium-based browsers and their respective versions containing Google’s patch.
The vulnerability in question is listed in the National Vulnerability Database (NVD) as CVE-2022-4262 with a high severity score of 8.8 out of 10. A researcher in Google’s Threat Analysis Group discovered the vulnerability at the end of November, prompting Google to develop a fix. While Google has since disclosed the existence of this vulnerability, the company is refraining from providing detailed information about the bug until a majority of users have applied the patch. Google simply describes the vulnerability as a type confusion bug in Chromium’s V8 JavaScript engine.
Now that CISA has listed the vulnerability in its known exploited vulnerabilities catalog, all Federal Civilian Executive Branch (FCEB) agencies are required by Binding Operational Directive (BOD) 22-01 to update all affected machines with Google’s patch. While these agencies have until December 26 to do so, CISA recommends that all organizations not bound by this directive prioritize applying the security patch in a timely manner. We’d also add that individual users should apply the relevant updates on their own devices as well. The chart below shows various Chromium-based browsers and their respective versions containing Google’s patch.
| Browser | Patched Version |
| Brave |
1.46.134 |
| Google Chrome | 108.0.5359.94/.95 |
| Microsoft Edge |
108.0.1462.42 |
| Vivaldi |
5.5.2805.50 (desktop) / 5.5.2807.43 (Android) |
Chromium-based browsers like Google Chrome and Microsoft Edge will typically update themselves after a restart in unmanaged environments. To ensure the update goes through, users can navigate to the About Chrome or About Edge menu which will kick off a check for updates and begin installing it, if available. Once the update is installed, users will need to close and relaunch the browser as prompted for it to take effect.
