The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a bug in Google's Chromium V8, referred to as a 'Type Confusion bug', to its catalog of Known Exploited Vulnerabilities (KEV). This vulnerability, tracked as CVE-2023-4762, affects versions of Google Chrome prior to 116.0.5845.179. It allows a remote attacker to execute any code of their choosing through a specially designed HTML page.
In September 2023, Citizen Lab, in conjunction with Google’s Threat Analysis Group (TAG), revealed that three recently patched Apple zero-days (CVE-2023-41993, CVE-2023-41991, CVE-2023-41992) were utilized to install the Cytrox Predator spyware. The experts reported that the exploit chain of these flaws was delivered in two ways, one of which involved exploiting CVE-2023-4762.
Google TAG's analysis stated, “The attacker also had an exploit chain to install Predator on Android devices in Egypt. TAG observed these exploits delivered in two different ways: the MITM injection and via one-time links sent directly to the target. We were only able to obtain the initial renderer remote code execution vulnerability for Chrome, which was exploiting CVE-2023-4762.” Furthermore, they assessed that Intellexa had also previously used this vulnerability as a 0-day exploit.
In accordance with Binding Operational Directive (BOD) 22-01, which aims to reduce the significant risk of known exploited vulnerabilities, Federal Civil Executive Branch (FCEB) agencies are required to address the identified vulnerabilities by a specified due date to protect their networks against attacks exploiting the flaws listed in the catalog. Experts also suggest that private organizations review the Catalog and address the vulnerabilities within their own infrastructure.
CISA has mandated that all federal agencies rectify this vulnerability by February 27, 2024.