Google Ships Emergency Update for the Sixth Zero-day Chrome Vulnerability in 2022
Google issued the update for the desktop versions of the browser, including Windows, Mac, and Linux. It is unclear if Chrome for Android and iOS are impacted.
Google recently rolled out an update for a new zero-day vulnerability found in the Chrome web browser. Tracked as CVE-2022-3075, the vulnerability is the sixth zero-day one found in the popular browser.
Google issued the update for the desktop versions of the browser, including Windows, Mac, and Linux. Without going into details of the vulnerability for obvious reasons, Google said CVE-2022-3075 exists due to “insufficient data validation” in the runtime libraries that Chromium, the open-source browser Chrome is based on.
These libraries, collectively known as Mojo, enable Chrome or any other app/program that runs on it for multiple functions, mainly to carry out inter- and intra-process communication.
Google credited an anonymous researcher with discovering CVE-2022-3075, which from the information revealed by Google so far, exists due to gaps in how Chrome is fed inputs for validation. In other words, a threat actor can exploit the bug by feeding a malicious input.
Fix for the zero-day vulnerability, whose exploit “exists in the wild,” will be released in the coming days/week, according to Google’s post dated September 2, 2022. By now, the update should be available for most regions. To see if you are updated, go to the vertical ellipsis in the top right corner of Chrome, and click on Settings > About Chrome.
After installing the update, the stable build should be 105.0.5195.102. “Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed,” Google noted.
See More: August Patch Tuesday: Microsoft Fixes Two Zero-Day and 17 Critical Vulnerabilities
The discovery of CVE-2022-3075 comes on the heels of an update (version 105) released in the last week of August, wherein 24 security issues were addressed, none of which were described as zero-days, though one was critical and eight others were rated high in severity.
However, it is the sixth zero-day vulnerability, i.e., whose exploit is available in-the-wild. Details of the six zero-day vulnerabilities found in Chrome in 2022 are given below:
Vulnerability |
Type | Resides In | CVSS Score |
Vulnerable Chromium Versions |
---|---|---|---|---|
Use-after-free | Animation | 8.8 | Before 98.0.4758.102 | |
CVE-2022-1096 | Type Confusion | V8 engine | 8.8 |
Before 99.0.4844.846 |
Type Confusion | V8 engine | 8.8 | Before 100.0.4896.127 | |
CVE-2022-2294 | Heap buffer overflow | WebRTC | 8.8 |
Before 103.0.5060.114 |
Insufficient validation of untrusted input | Intents | NA | Before 104.0.5112.97 | |
CVE-2022-3075 | Insufficient data validation | Mojo | NA |
Before 105.0.5195.54 |
Chrome has a user base of over 2.65 billion and approximately 64% of the market share. It is unclear if CVE-20220-3075 impacts Chrome for Android and iOS as well. Nevertheless, Google has released updates (available on Play Store and App Store) for the two all the same.
On the same day Google announced the fix for CVE-2022-3075 in Chrome for Desktop, Microsoft also rolled out version 105.0.1343.27 of Edge, also a Chromium-based browser and the company’s successor to Internet Explorer.
Let us know if you enjoyed reading this news on LinkedIn, Twitter, or Facebook. We would love to hear from you!