A zero-day vulnerability in Chrome is being actively exploited
Google has pushed out an update for the Windows version of its Chrome web browser to fix a zero-day vulnerability being actively exploited in the wild.
The high-severity bug, tracked as CVE-2022-2294, has been patched with the latest Chrome build (103.0.5060.114), BleepingComputer reports.
Google Chrome is usually updated automatically, as soon as the browser is opened by the user, so there is a good chance many installations have already been patched. However, Google says it may take a number of weeks for the patch to make its way to the remainder.
Short on details
In the meantime, Google is withholding details on the vulnerability and its exploit, so as not to give cybercriminals any ideas. We will have to wait a little longer to learn about the malware being used to leverage the flaw.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Google said. “We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.”
We do know the flaw is a high-severity heap-based buffer overflow weakness, discovered by Avast’s Jan Vojtesek, in the WebRTC (Web Real-Time Communications) component.
Threat actors that manage to successfully exploit this bug can crash programs and run arbitrary code on affected endpoints.
This is hardly the first zero-day bug Google has fixed this year. In fact, this is the fourth, following CVE-2022-0609 (patched in February), CVE-2022-1096 (patched in March), and CVE-2022-1364 (patched in April).
The first of the bunch was leveraged by North Korean state-sponsored actors, researchers said at the time.
Administrators are advised to keep an eye on Chrome, and to make sure to install the patch, should the browser not do so automatically.