Immediately update Google Chrome browser to patch new zero-day exploit

Google Chrome browser

Google rolled out a security update to its Chrome browser on Monday that corrects security, stability and performance improvements, including a zero-day vulnerability. The issue affects Chrome on Windows, Mac, and Android.

Chrome for Windows has been updated to version 103.0.5060.114, which includes four security fixes, three of which have been flagged by Google and contributed by third-party researchers:

  • High CVE-2022-2294: Heap buffer overflow in WebRTC. Reported by Jan Vojtesek of the Avast Threat Intelligence team on 2022-07-01
  • High CVE-2022-2295: Type Confusion in V8. Reported by avaue and Buff3tts at SSL on 2022-06-16
  • High CVE-2022-2296: Then use for free in Chrome OS Shell. Reported by Khalil Zhani on 2022-05-19

The very serious vulnerability (CVE-2022-2294) is a heap buffer overflow bug, which exists in WebRTC, the engine that gives the browser real-time communication capabilities. If exploited, this vulnerability could allow denial-of-service attacks or, in some cases, arbitrary code execution on your desktop, giving hackers full access to your PC.

“Google is aware that an exploit for CVE-2022-2294 exists in the wild,” said Google’s Monday security advisory for Windows. “The stable channel has been updated to 103.0.5060.114 for Windows, which will be rolled out in the coming days/weeks.”

Google says it won’t reveal any details about the exploits or the vulnerabilities until a majority of users are updated with a fix. It may also retain limitations if the bug exists in a third-party library that other projects similarly depend on, but hasn’t been fixed yet.

In addition to fixing the zero-day buffer overflow bug, Google also released a patch on Monday to fix two other very serious bugs, including a type-confusion bug in the V8 JavaScript engine tracked as CVE-2022-2295 and a usage- na-free bug in Chrome OS Shell tracked as CVE-2022-2296.

In addition to Chrome for Windows, the fixes have also been released in Chrome for Android version 103.0.5060.71 for CVE-2022-2294 and CVE-2022-2295. Furthermore, the Chrome Extended Stable channel has been updated to 102.0.5005.148 for Windows and Mac to fix CVE-2022-2294.

If you are a Chrome user on Windows or Mac, we recommend that you update your browser as soon as possible. To check if an update is available to you, you can click the three-dot menu in the top right of your Chrome window and go to Chrome menu Help > About Google Chrome or open the Chrome page by typing chrome://settings/help in your browser.

With this update, Google has fixed the fourth Chrome zero-day bug in the year 2022, including one in February (CVE-2022-0609), March (CVE-2022-1096), and April (CVE-2022-1364).

Leave a Comment