Google on Monday rolled out a security update for its Chrome browser, which fixes security, stability, and performance improvements, including a zero-day vulnerability. The issue affects Chrome on Windows, Mac, and Android.
Chrome for Windows has been updated to version 103.0.5060.114, which includes four security fixes, of which three were highlighted by Google that were contributed by external researchers:
- High CVE-2022-2294: Heap buffer overflow in WebRTC. Reported by Jan Vojtesek from the Avast Threat Intelligence team on 2022-07-01
- High CVE-2022-2295: Type Confusion in V8. Reported by avaue and Buff3tts at S.S.L. on 2022-06-16
- High CVE-2022-2296: Use after free in Chrome OS Shell. Reported by Khalil Zhani on 2022-05-19
The high-severity vulnerability (CVE-2022-2294) is a heap buffer overflow bug, which exists in WebRTC, the engine that gives the browser its real-time communications capability. If exploited, this vulnerability may allow denial-of-service attacks or, in some cases, arbitrary code execution on your desktop, which has the potential to give hackers full access to your PC.
“Google is aware that an exploit for CVE-2022-2294 exists in the wild,” according to Google’s Monday security advisory for Windows. “The Stable channel has been updated to 103.0.5060.114 for Windows, which will roll out over the coming days/weeks.”
Google says it doesn’t reveal details about the exploits or the vulnerabilities until a majority of users are updated with a fix. It might also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.
Besides fixing the zero-day buffer overflow flaw, Google on Monday also released a patch to fix two other high-severity flaws, which include a type confusion bug in the V8 JavaScript engine tracked as CVE-2022-2295 and a use-after-free flaw in Chrome OS Shell tracked as CVE-2022-2296.
In addition to Chrome for Windows, the fixes were also released in Chrome for Android version 103.0.5060.71 for CVE-2022-2294 and CVE-2022-2295. Further, the Chrome Extended Stable channel has been updated to 102.0.5005.148 for Windows and Mac to fix CVE-2022-2294.
If you are a Chrome user on Windows or Mac, it is recommended to update your browser as soon as possible. To check if there is an update available for you, you can click on the three-dot menu on the top-right of your Chrome window and go to Chrome Menu > Help > About Google Chrome or open the Chrome page by typing chrome://settings/help in your browser.
With this update, Google has addressed the fourth Chrome zero-day flaw in the year 2022, which includes one in February (CVE-2022-0609), March (CVE-2022-1096), and April (CVE-2022-1364).
