Google has released a new patch to address a dangerous zero-day vulnerability that is in use by hackers in practice on the Google Chrome browser.
The new update (version 103.0.5060.114) which was released on July 4, 2022, according to Google, will be available to all Chrome users globally within a few weeks. And users have been advised to update their software and install this “critical security fix” as soon as possible to prevent falling victim to this vulnerability.
It was gathered that Chrome on Windows, macOS, and Linux is vulnerable to the new ‘zero-day’ hack CVE-2022-2294. Zero-day is the most dangerous form of attack because it means the vulnerability is known to hackers before Google could issue a fix. As the company admits, “Google is aware that an exploit for CVE-2022-2294 exists in the wild.” This means every Chrome user is vulnerable.
As for the CVE-2022-2294 vulnerability itself; its operation is associated with a buffer overflow of the Web Real-Time Communications (WebRTC) component. The problem became a few days ago when it was in reports by Avast Threat Intelligence specialists. The exploitation of the vulnerability allows attackers to perform various actions on the victim’s device, including the remote execution of arbitrary code.
Even though we know about the exploitation of the CVE-2022-2294 vulnerability in practice; Google is in no hurry to disclose details regarding this problem. The company noted that access to information about the vulnerability will be limited until a patch that eliminates it is installed on the devices of the vast majority of Chrome users, which may take several weeks.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Google said. “We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed”. We advise you to immediately update your Chrome browser.
If you’re using a macOS, Linux, or WIndows-powered device, you’re advised to download version 103.0.5060.114. If you’re using an Android-powered device, updating to version 103.0.5060.71 is recommended.
In most cases, Chrome will automatically install this update, but will not do so if your automatic update feature is disabled. Check your browser settings to verify whether you’re set for automatic updates, or if you need to install the newest version of Chrome.
As this is the fourth case of a zero-day bug on Goggle chrome this year, we may see future occurrences. Though this will always be a risk, Google’s speedy responses will hopefully mitigate any damage done by malicious actors who exploit this kind of weakness.