A new emergency update is available for Google Chrome on desktop and Android. The update brings an important security fix for a zero-day vulnerability in the browser.
Google Chrome patches 8th zero-day exploit this year
The security issue, which has been tracked as CVE-2022-4135, has been labeled a high severity issue. As noted by Bleeping Computer, this is the 8th zero-day vulnerability that has been found in Chrome this year. That might be surprising, but considering that Chrome boasts the largest user base among browsers, it no doubt attracts more attention from hackers than the rest.
A blog post that has been published by Google describes the issue as a heap buffer overflow in the GPU. The flaw was reported by Clement Lecigne of Google’s Threat Analysis Group, on November 22nd. The announcement confirms that the vulnerability has been actively exploited by threat actors in the wild. The Mountain View company has not gone further into the details about the security loophole. The article explains that Google will restrict access to the bug details and links, until the update that contains a fix for the security flaw has rolled out to the majority of its users. That makes sense since the vulnerability has already been exploited, so disclosing more details about the attack vector right away can actually help in minimizing the number of attacks that target the loophole.
The CVE record for the issue sheds a little more light on how the issue could have impacted users. The vulnerability in the heap buffer overflow in the GPU, might have allowed hackers who had gained remote access to the renderer process in the web browser. This could then be used to perform a sandbox escape with a crafted HTML page. In simpler terms, a hacker could have executed malicious code from outside the sandbox’s protection, thus compromising the user’s security. The issue affects all versions of Chrome prior to version 107.0.5304.121.
The fix for this bug is included in the latest version of Google Chrome 107, more specifically 107.0.5304.121 and .122 for Windows, Mac and Linux. Google Chrome 107 (107.0.5304.141) for Android also includes the security patch. Chrome’s Extended Stable channel has been updated to 106.0.5249.199 on Windows and Mac, but it’s unclear if it contains the security fix.
Google’s announcement says that it may take a few days or weeks for the emergency update to roll out to all users. But when I checked it on my computer, the update was already available for the stable channel of the browser. If you don’t have it yet, go to the desktop program’s Menu > About Chrome page, and it should download and update to the new build automatically. Chrome users on Android can get the app update from the Google Play Store. Other browsers that rely on Chromium’s source code should hopefully pick up the security fix soon, and ship it an update to protect their users.
Google had patched 10 security issues in Chrome 107, which was released to the stable channel a few weeks ago.
