Google: Update Chrome Now to Fix Zero-Day
An emergency update for Google Chrome, released Friday, fixes a zero-day that's being exploited in attacks.
Google is telling Chrome users to apply an emergency patch ASAP to resolve a zero-day vulnerability in the browser.
While Chrome automatically updates to a new version of the browser when one is available, users still need to relaunch the browser before the changes take effect. Users can trigger the update by going to Chrome menu > Help > About Google Chrome, then agreeing to relaunch the browser.
While details about the bug are scant, Google did point out that an exploit for the vulnerability exists in the wild.
Type confusion vulnerabilities are logical bugs that usually stem from when a piece of code doesn't verify the type of object that's passed to it. In some scenarios, type confusion attacks can open the door to browser crashes due to buffer overflow and code execution.
While it’s unclear how the vulnerability is being weaponized by attackers, the fact that it is in the first place should be reason enough for users to update.
Fixing a zero-day in any service is worth prioritizing but when one surfaces in something used as commonly as browser, especially given the level of trust users place in browsers, it’s worth addressing. Even more so over the last several years, which have seen browsers extend how they integrate with cryptocurrency and cryptocurrency wallets, secure money transactions, and password manager functionality.
It's worth noting Chrome isn’t the only browser vulnerable to CVE-2022-1096. As browsers like Microsoft Edge, Opera, and Brave also use Chromium, the open-source browser project that's under the hood of Chrome, they’re also considered vulnerable until patched.
Here are instructions on how to update each in case they weren’t updated automatically:
- Top right 3 buttons >> Settings >> About Microsoft Edge (lower left menu) >> Version 99.0.1150.55
- Top right 3 lines >> About Brave >> Version 99.0.4844.88
- Top left Opera logo >> Update & Recovery >> Version 85.0.4341.18
For Google, it's the second Chrome zero-day patched this year. It fixed CVE-2022-0609, a use after free vulnerability in the browser's animation component in February in February. It wasn't until last week that Google's Threat Analysis Group, which uncovered the bug described how two North Korean government-backed hacking groups were exploiting the vulnerability as far back as January to target organizations in the media, IT, cryptocurrency, and fintech industry. As part of the campaign, one group targeted over 250 individuals working for 10 different companies, sending fake job offers that spoofed real-looking websites that were rigged with exploit kits.
The company provided some insight around in-the-wild exploits in Chrome earlier this month, specifically how the deprecation of Flash and Chromium's rise in popularity over the last few years has led to an increase in attacks against Chrome.