2022-01-04: Earliest identified exploitation (according to the linked article).
2022-02-10: Google TAG discovered the vulnerability.
2022-02-14: Google Chrome was patched.
????-??-??: Hopefully most folks have updated by now, such that that particular attack isn't getting anyone anymore.
According to the article:
> Google’s Threat Analysis Group (TAG) attributed two campaigns exploiting the recently patched CVE-2022-0609 (described only as “use after free in Animation” at the moment) to two separate attacker groups backed by the North Korean government.
Generally, "use-after-free" vulnerabilities could be prevented by using more secure memory-management systems. To be clear: this is easy to do, programming-wise; presumably the vulnerability was able to occur because the software-design favored performance over security.
Apparently the timeline was:
????-??-??: The bug was discovered and exploited.
2022-01-04: Earliest identified exploitation (according to the linked article).
2022-02-10: Google TAG discovered the vulnerability.
2022-02-14: Google Chrome was patched.
????-??-??: Hopefully most folks have updated by now, such that that particular attack isn't getting anyone anymore.
According to the article:
> Google’s Threat Analysis Group (TAG) attributed two campaigns exploiting the recently patched CVE-2022-0609 (described only as “use after free in Animation” at the moment) to two separate attacker groups backed by the North Korean government.
Generally, "use-after-free" vulnerabilities could be prevented by using more secure memory-management systems. To be clear: this is easy to do, programming-wise; presumably the vulnerability was able to occur because the software-design favored performance over security.