Security News > 2022 > July > Google Patches Actively Exploited Chrome Bug
While people were celebrating the Fourth of July holiday in the United States, Google quietly rolled out a stable channel update for Chrome to patch an actively exploited zero-day vulnerability, the fourth such flaw the vendor has had to patch in its browser product so far this year.
Chrome 103 for Android and Version 103.0.5060.114 for Windows and Mac, outlined in separate blog posts published Monday, fix a heap buffer overflow flaw in WebRTC, the engine that gives the browser its real-time communications capability.
Google Chrome updates are pushed out without user intervention, so most users will be protected once patches are available.
In addition to fixing the zero-day buffer overflow flaw, the Chrome releases also patch a type confusion flaw in the V8 JavaScript engine tracked as CVE-2022-2295 and reported June 16 by researchers "Avaue" and "Buff3tts" at S.S.L., according to the post.
Another flaw patched in Monday's Chrome update is a use-after-free flaw in Chrome OS Shell reported by Khalil Zhani on May 19 and tracked as CVE-2022-2296, according to Google.
Prior to patching the Chrome V8 JavaScript engine flaws in March and April, Google in February already had patched a zero-day use-after-free flaw in Chrome's Animation component tracked as CVE-2022-0609 that was under active attack.
News URL
https://threatpost.com/actively-exploited-chrome-bug/180118/
Related news
- Google Drops Cookie Prompt in Chrome, Adds IP Protection to Incognito (source)
- Google Rolls Out On-Device AI Protections to Detect Scams in Chrome and Android (source)
- Google Chrome to use on-device AI to detect tech support scams (source)
- Google Chrome to block admin-level browser launches for better security (source)
- Google fixes high severity Chrome flaw with public exploit (source)
- Google Chrome's Built-in Manager Lets Users Update Breached Passwords with One Click (source)
- Google Chrome to distrust Chunghwa Telecom, Netlock certificates in August (source)
- New Chrome Zero-Day Actively Exploited; Google Issues Emergency Out-of-Band Patch (source)
- Google Chrome to Distrust Two Certificate Authorities Over Compliance and Conduct Issues (source)
- Google patches new Chrome zero-day bug exploited in attacks (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-07-28 | CVE-2022-2296 | Use After Free vulnerability in multiple products Use after free in Chrome OS Shell in Google Chrome on Chrome OS prior to 103.0.5060.114 allowed a remote attacker who convinced a user to engage in specific user interactions to potentially exploit heap corruption via direct UI interactions. | 8.8 |
| 2022-07-28 | CVE-2022-2295 | Type Confusion vulnerability in multiple products Type confusion in V8 in Google Chrome prior to 103.0.5060.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
| 2022-04-05 | CVE-2022-0609 | Use After Free vulnerability in Google Chrome Use after free in Animation in Google Chrome prior to 98.0.4758.102 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |