Chrome 99.0.4844.84 has been launched by Google for Windows, Mac, and Linux users. The upgrade will be available on the Stable Desktop Channel in a few days/weeks. The patch will fix a high-severity zero-day flaw that has been abused by the public. The web browser will also regularly monitor the latest updates and install them after the next launch.
Secrecy In The Vulnerability Attacks
CVE-2022-1096 is the identifier for the zero-day vulnerability. The vulnerability is a high severity type confusion flaw present in the Chrome V8 JavaScript engine. An unidentified security researcher reported it.
In most cases, type confusion issues result in browser crashes after successful exploitation. By reading or writing memory outside the confines of the buffer, attackers can also use them to execute arbitrary code.
Google had already stated that it had detected attacks leveraging this zero-day in the wild. However, the corporation did not put forth any technical details or information about these events.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Google said. “We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven’t yet fixed.”
Users of Google Chrome should have ample time to upgrade Chrome. In this way, they can avoid concerted exploitation efforts until the browser maker releases more information.
Second Zero-day Patch Of 2022 By Google
It is the second Chrome zero-day that Google has resolved since early 2022. The first, identified as CVE-2022-0609, was patched last month. The state hackers that were backed by North Korea had exploited this zero-day vulnerability, weeks before the February fix. This was stated by Google Threat Analysis Group (TAG).
The zero-day was used in campaigns by two independent threat organizations funded by the North Korean government. These groups distributed malware through phishing emails containing bogus job offers and infected websites carrying hidden iframes that served as an exploit kit.