Google pushed an update to the Windows version of its Chrome web browser to fix a zero-day vulnerability that is being actively exploited in the wild.
The very serious bug, tracked as CVE-2022-2294, has been fixed with the latest Chrome version (103.0.5060.114), Computer reports.
Google Chrome usually updates automatically, once the browser is opened by the user, so there’s a good chance that many installs are already fixed (Opens in a new tab). However, Google says that it may take a number of weeks for the patch to reach the rest period.
Briefly, in the details
In the meantime, Google is withholding the details of the vulnerability and its exploit, so as not to give cybercriminals any ideas. We’ll have to wait a little longer to identify the malware (Opens in a new tab) They are used to take advantage of the defect.
“Access to bug details and links may be restricted until the majority of users have been updated with a fix,” Google said. “We will also keep the limitation if the bug is in a third-party library that other projects similarly rely on, but it hasn’t been fixed yet.”
We know that the flaw is a very severe heap-based buffer overflow vulnerability, discovered by Jan Wojciek of Avast, in the WebRTC (Web Real-Time Communications) component.
Threat actors who successfully exploit this bug can disable programs and run arbitrary code on affected endpoints.
This is hardly the first zero-day bug that Google fixed this year. In fact, this is the fourth, after CVE-2022-0609 (corrected February), CVE-2022-1096 (corrected March), and CVE-2022-1364 (corrected April).
Researchers at the time said the first group benefited from state-sponsored actors in North Korea.
Administrators are advised to monitor Chrome, and make sure that the patch is installed, in case the browser does not do so automatically.