Google releases emergency Chrome fix for zero-day bug

Image:

Google releases emergency Chrome fix for zero-day bug

The company is aware of an existing in-the-wild exploit for the vulnerability

Google has issued emergency patches to patch a security vulnerability that it says is actively being exploited in the wild in its Chrome web browser.

According to the company, the Stable channel has been updated to version 107.0.5304.121 for Mac and Linux, and to version 107.0.5304.121/.122 for Windows. These updates are scheduled to roll out for all users over the next few days or weeks.

The security vulnerability fixed by the latest update is CVE-2022-4135, a high-severity, heap buffer overflow weakness in GPU.

Google credited Clement Lecigne of its Threat Analysis Group for discovering the flaw on November 22, 2022.

Google says it is aware of an exploit for CVE-2022-4135 existing in the wild. However, the company did not go into technical specifics regarding how the security vulnerability was used in attacks or the threat actors that may have weaponised it.

Until a patch has been made available to the vast majority of users, access to bug information and links may be kept restricted, according to the company.

'We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed,' it added.

Attacks that target heap buffer overflow bugs in Chrome's GPU could result in unrestricted information access or the arbitrary code execution. It is possible for malicious people to use such vulnerabilities to install unwanted software on personal computers.

To install latest Chrome update, users should visit Settings -> About Chrome -> Wait for the download of the latest version to finish and -> Restart the programme.

CVE-2022-41 is the eighth zero-day Chrome bug exploited by malicious actors in attacks this year.

The previous seven zero-days are:

CVE-2022-3723
CVE-2022-3075
CVE-2022-2856
CVE-2022-2294
CVE-2022-1364
CVE-2022-1096
CVE-2022-0609

CVE-2022-3723, which was fixed by Google last month, is a high-severity, type confusion bug in the Chrome V8 JavaScript engine. The vulnerability was discovered and reported to Google by analysts at Avast.

CVE-2022-3075, which was addressed in September, was described as an insufficient data validation issue in Mojo— a collection of runtime libraries that provide a platform-agnostic mechanism for inter-process communication (IPC).

Sophisticated hackers usually take advantage of zero-day bugs and employ them in highly targeted attacks.

To prevent any exploitation efforts, all Chrome users must upgrade their web browsers as soon as updated are released by their makers.