Google has released an extraordinary update to Chrome 99.0.4844.84 for Windows, macOS and Linux; fixing a zero-day vulnerability that was in exploitation by attackers. The company did not reveal details about this vulnerability yet; waiting for the browsers to get the update for most users.
“Google has become aware of the existence of an exploit for [vulnerability] CVE-2022-1096,” the company said in a statement. Chrome Browser Update 99.0.4844.84 is already rolling out on the Stable Desktop channel; with the company saying its entire user base will receive it within the next days or weeks. Updates do automatically install in the background, but you can speed things up; by selecting the “Help” item in the program menu and going to the “About Google Chrome” sub-item; and after installing the latest version, the browser will need to restart.
The fixed vulnerability was given the number CVE-2022-1096 – it is related to the lack of object type checking by the Chrome V8 JavaScript engine, and it was reported by an anonymous cybersecurity specialist. Successful exploitation of such errors allows reading or writing data to memory outside the buffer; and attackers can run arbitrary code for execution.
Google urgently fixes mysterious zero-day vulnerability in Chrome
Gizchina News of the week
Since Google discovered the existence and use of an exploit for this vulnerability, but did not reveal details about its nature. “Access to bug details and links may have limitation until most users receive the hotfix update. We will also keep the restrictions if the bug is present in a third-party library that other projects that have not yet got a fix depend on in a similar way,” according to the company.
Also, for the current year, this is the second fix for a zero-day vulnerability by Google that has already been in exploitation by attackers. Earlier it became known about the bug number CVE-2022-0609; using which, two groups of North Korean hackers, as stated in the company, launched a large-scale attack.
According to the British edition of The Register, citing Google employee Adam Weidemann, the Chrome vulnerability was identified on February 10, and it has been exploited since at least January 4 – an error in the program made it possible to compromise the victim’s browser, seize control of the computer and perform surveillance. The “target audience” of the North Korean intelligence services were employees of American companies; in the field of media, high technology, cryptocurrency and fintech; but it is possible that the attackers also worked in other countries and industries.