Internet users worldwide must immediately patch CVE-2022-1096, a critical zero-day vulnerability in Google Chrome whose exploit is available in the wild.
Google recently issued an out-of-band security update for its flagship desktop browser Chrome. The update fixes just one security vulnerability tracked as CVE-2022-1096. Google emphasized applying the emergency update for Chrome to version 99.0.4844.84.
Check your Chrome version by typing chrome://version in the address bar and hitting ‘enter.’ If you still have the vulnerable version, update the browser to the latest version (99.0.4844.84) that contains the fix.
A green, orange or red ‘Update’ tab should be visible on the top right corner of your desktop browser beside the ‘Customize and control’ or the vertical ellipsis button. If not, click the vertical ellipsis > Help > About Google Chrome. At this point, Chrome should automatically begin searching and applying for the latest update.
The urgency stems from the fact that not only is CVE-2022-1096 exploitable, but its exploit exists in the wild, including with threat actors. But Google acknowledged that it might take days, maybe more than a week, to reach all 3.2+ billionOpens a new window desktop browser users. Chrome is the most popular browser globally, with a market share of over 62%Opens a new window as of February 2022.
For obvious reasons, details on CVE-2022-1096 haven’t been made public yet. “Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed,†Google said in its Stable Channel Update advisory.
See More: Serious ‘cr8escape’ Vulnerability Discovered in CRI-O for Kubernetes, Patch Now!
We know so far that CVE-2022-1096 is a Type Confusion vulnerability residing in V8, the JavaScript engine used in Chrome. It was reported by an anonymous user.
According to Common Weakness EnumerationOpens a new window (CWE), type confusion arises when a program accesses any system resource using an incompatible type. Suppose a program initializes a resource such as an object or a variable using one type but later accesses that resource with a type incompatible with the original type. In that case, it could trigger logical errors due to the absence of expected properties.
Type confusion bugs can enable access to out-of-bounds system memory, particularly in applications written in languages without memory safety, such as C and C++, and allow arbitrary code execution. V8 is written in C++.
A year ago, similar vulnerabilities were discovered in the Safari browser for both iOS and macOS. Apple secured Safari weeks after the flaws were discovered. And like one of the type confusion vulnerabilities in Apple’s Safari, CVE-2022-1096 in Google Chrome may also enable unauthorized code execution.
This is the second such occasion in as many months that a zero-day vulnerability has cropped up in Google Chrome. Last month’s CVE-2022-0609 was exploited by North Korean hackersOpens a new window weeks before the patch was released.
Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!