CVE-2022-1138 Inappropriate implementation of Web Cursor in Google Chrome prior to 100.0.4896.60 allowed a remote attacker to obscure the contents of the Omnibox by compromising the renderer process.

Google has assigned the highest priority to fixing this issue, and released a beta version of Chrome 70, which protects against this attack by default. If you are using an earlier version of Chrome, we strongly recommend updating as soon as possible. In addition to the fixes described in this advisory, Google Chrome 70 also improves security by blocking Google Analytics scripts in Incognito mode by default. If you are using Google Analytics on an unencrypted site, you may now see an error message stating that data collection is blocked due to security reasons.

How to update Chrome

To update Chrome to the latest version, click on the three lines in the upper-right corner of your browser window and select "About Chrome" followed by clicking on "Update Now."

What is WebAssembly?

WebAssembly is a new programming language designed for client-side scripting, which enables applications to run on the web without relying on JavaScript. WebAssembly is designed so that it can be compiled to machine code using the LLVM compiler infrastructure, which means that it is compatible with all modern browsers. In addition, WebAssembly will enable faster loading times, because as a binary format it can be loaded directly into memory rather than being interpreted by JavaScript.
WebAssembly also has support for "exports," meaning that application developers can design modular projects with independent deployment and compilation targets in mind. This allows applications to be divided into logical components that are optimized for different platforms or operating systems, such as the browser and mobile devices.

What is the Cross-Origin Resource Sharing (CORS) attack?

Cross-Origin Resource Sharing (CORS) refers to a security mechanism that allows browsers to share data across domains. The most common use of CORS is for retrieving JSON or XML documents from different domains, such as third-party APIs. Cross-origin resource sharing is not enabled by default in browsers, and its availability has been historically limited. It allows client-side applications to make requests to servers on other origins, which is important for modern web applications that depend on JavaScript libraries and frameworks.

What is a variant attack?

A variant attack is a type of SQL injection that uses parameterized queries. In this specific instance, the attacker sent repeated GET requests with a variety of different query strings: some using the correct password and others requesting data from other accounts.

Timeline

Published on: 07/23/2022 00:15:00 UTC
Last modified on: 08/15/2022 11:16:00 UTC

References

• https://crbug.com/1246188
• https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_29.html
• https://security.gentoo.org/glsa/202208-25
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1138