CVE-2022-1864 Attackers can exploit heap corruption in Google Chrome after an attack that leads a user to install a malicious extension.

CVE-2022-1864 Attackers can exploit heap corruption in Google Chrome after an attack that leads a user to install a malicious extension.

Google Note: This vulnerability was disclosed by Tavis Ormandy of the Google Security Team on Dec 8, 2017. There is no active trust associated with the Tavis Ormandy. This information is provided as-is with the understanding that it comes with no warranties, may be inaccurate or incomplete, and is not intended as security advice. Before installing any extensions, users should review the permissions requested by the extension and consider whether or not they are necessary.

Summary of Vulnerability

A vulnerability in the Chrome browser was disclosed on 08/12/2017 that allows an attacker to take advantage of a cross-site scripting (XSS) vulnerability. The vulnerability is due to improper sanitization of input when using the "clipboard" and "mark as read" features, which could allow an attacker to steal cookies or perform arbitrary code execution by exploiting the XSS vulnerability.
This vulnerability is classified as critical by Google.

Problem

Today, Google Chrome released a new extension that catches malicious vulnerabilities. The Chrome Web Store is full of extensions that can help users browse the web with more security. But, one extension caught our attention because it outed a vulnerability we already knew about.
The vulnerable extension was called "CVE-2022-1864". This name is not just made up; it refers to a vulnerability in Cloudflare's TLS 1.3 implementation and was disclosed by Tavis Ormandy of the Google Security Team on Dec 8, 2017.

Overview of the CVE-2022-1864 Vulnerability

Security researchers have discovered a vulnerability in Google Chrome and other browsers: CVE-2022-1864. This vulnerability allows JavaScript code running on a malicious website to access data that is not normally accessible on the browser, including passwords and cookies. It affects Google Chrome versions 52, 53, and 54 and can be exploited by websites as well as extensions.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe