Skip to content

Chrome, Edge and Safari browsers at risk from three new zero-days

  • by
  • 3 min read

Security researchers at Avast found a new Chrome vulnerability and two other zero-days being exploited in a campaign targeting journalists with sophisticated spyware labelled DevilsTongue.

Avast researchers revealed that they found multiple campaigns, all delivering the exploit in their own unique way to Chrome users in the Middle East, specifically Lebanon, Palestine, Turkey and Yemen. The watering hole sites picked their targets carefully, and once exploited, they used the access to install DevilsTongue, Candiru’s advanced spyware. 

Google patched the flaw, tracked as CVE-2022-2294, on July 4 after being privately notified by the researchers. Microsoft and Safari have patched their respective browsers as well. 

The vulnerability is memory corruption in WebRTC abused for shellcode execution in the Chrome renderer process. WebRTC or Web Real-Time Communications is an open-source project that facilitates real-time text, voice and video communications between browsers and the devices they’re run on using a Javascript interface. 

In the News: Ukraine’s TAVR Media breached to spread fake news about Zelensky

A heavily protected exploit

Candiru has gone to great lengths to protect this exploit. Once a target visits the exploit server, Candiru collects over 50 data points to build a profile of the victim’s browser, including the victim’s language, timezone, screen information, device type, browser plugins, referrer, device memory, cookie functionality, and more.

Once a target is selected, the exploit server then uses RSA-2048 to exchange an encryption key with the target, which is used to establish an encrypted channel to deliver the zero-day exploits. To further protect themselves, the encrypted channel is set on top of TLS to avoid getting captured in plaintext HTTP traffic. 

Top 10 anti-virus apps for Android | Candid.Technology

Once the exploit is run and DevilsTongue is installed on the victim’s computer, it elevates its privileges using a flawed Windows driver having yet another zero-day vulnerability. Installing this driver gives DevilsTongue access to the operating system’s kernel, as most drivers by access to an OS’ kernel by default. This technique is called “bring your own vulnerable driver” or BYOVD. 

However, despite the obfuscation, Avast recovered the attack code allowing it to identify the vulnerability and report it to both Google and the driver maker. While Google, Microsoft and recently Apple have all patched the browser vulnerability, there’s no word from the driver-maker about when a patch will be released. Only Avast and McAfee can detect the driver exploit at the time of writing. 

Another point of concern here is that Avast could not find a separate zero-day vulnerability that allowed the first one to escape Chrome’s security sandbox. This means this second vulnerability can cause problems in the future. 

Other groups may also be exploiting WebRTC

Candiru has been laying low since Microsoft, and Citizen Labs made multiple exposes against its toolset last July. However, it resurfaced in March with an updated toolkit and has since been very careful in protecting its exploits from security researchers and rival hacking groups. 

Avast researcher Jan Vojtěšek explains that while there’s ascertaining whether or not other groups were exploiting the WebRTC vulnerability or not, there’s a possibility of it happening as sometimes multiple groups discover zero-day vulnerabilities independently or vulnerabilities and exploits get sold between groups. However, at the moment, there’s no indication of any other group exploiting this vulnerability. 

In the News: Pixel 6A comes to India: Price, specs and more

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: