Google Chrome, Microsoft Edge patched in race against exploitation

Another bug squashed in JavaScript engine

Google Chrome and Microsoft Edge have been updated to patch a security flaw an exploit for which is said to be in the wild.

Whoever has this exploit code can attack vulnerable browsers, leaving Google and Microsoft, and their users, in a race to fix their software before exploitation can occur. Everyone is thus urged to install the latest version to be safe.

Neither of the two cloud giants provided much detail about the vulnerability, CVE-2022-1096, which Google ranked as a "high" severity bug in Chromium's V8 JavaScript engine. Chromium is at the heart of Google Chrome as well as Microsoft Edge.

Google on Friday issued Chrome version 99.0.4844.84 for Windows, Mac and Linux to close the hole in its browser. A day later, Microsoft pushed out an update for Edge.

The only other detail Google offered about the vulnerability, discovered by an anonymous user, was this:

Google is aware that an exploit for CVE-2022-1096 exists in the wild.

The web goliath noted it would restrict access to bug details until "a majority" of its users patched the flaw. "We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed," Google added.

It's not just Chrome and Edge relying on Google's Chromium project: several other products also use its V8 JavaScript engine, so look out for any security updates for these, if necessary. Google says Chrome has about 2.6 billion users, and Edge is separately said to have about 160 million.

Like Google, Microsoft noted an exploit was in the wild and remained tight lipped about further details.

This latest Chromium vulnerability and exploit follows a couple of other high-profile security incidents for both American companies.

In one, North Korean spies exploited a now-patched remote code execution vulnerability in Chrome to target media, IT, cryptocurrency, and fintech organizations, and hijack their devices.

Google's Threat Analysis Group discovered the bug being abused in the wild on February 10, and said there was evidence it was exploited as early as January 4.  

And earlier this month Microsoft admitted that the notorious Lapsus$ cyber-criminal gang — a number of arrests were made last week in connection with the crew — infiltrated its network and made off with some of its source code. 

That admission came days after Lapsus$ bragged on its Telegram channel about stealing source code for Bing and Cortana. Microsoft was one of several big-name victims in Lapsus$'s recent crime spree, which also included attacks against Okta, Nvidia, Samsung, Ubisoft and Vodafone. ®

Other stories you might like

  • Microsoft Defender goes cross-platform for the masses
    Redmond's security brand extended to multiple devices without stomping on other solutions

    Microsoft is extending the Defender brand with a version aimed at families and individuals.

    "Defender" has been the company's name of choice for its anti-malware platform for years. Microsoft Defender for individuals, available for Microsoft 365 Personal and Family subscribers, is a cross-platform application, encompassing macOS, iOS, and Android devices and extending "the protection already built into Windows Security beyond your PC."

    The system comprises a dashboard showing the status of linked devices as well as alerts and suggestions.

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • Google: How we tackled this iPhone, Android spyware
    Watching people's every move and collecting their info – not on our watch, says web ads giant

    Spyware developed by Italian firm RCS Labs was used to target cellphones in Italy and Kazakhstan — in some cases with an assist from the victims' cellular network providers, according to Google's Threat Analysis Group (TAG).

    RCS Labs customers include law-enforcement agencies worldwide, according to the vendor's website. It's one of more than 30 outfits Google researchers are tracking that sell exploits or surveillance capabilities to government-backed groups. And we're told this particular spyware runs on both iOS and Android phones.

    We understand this particular campaign of espionage involving RCS's spyware was documented last week by Lookout, which dubbed the toolkit "Hermit." We're told it is potentially capable of spying on the victims' chat apps, camera and microphone, contacts book and calendars, browser, and clipboard, and beam that info back to base. It's said that Italian authorities have used this tool in tackling corruption cases, and the Kazakh government has had its hands on it, too.

    Continue reading
  • Halfords suffers a puncture in the customer details department
    I like driving in my car, hope my data's not gone far

    UK automobile service and parts seller Halfords has shared the details of its customers a little too freely, according to the findings of a security researcher.

    Like many, cyber security consultant Chris Hatton used Halfords to keep his car in tip-top condition, from tires through to the annual safety checks required for many UK cars.

    In January, Hatton replaced a tire on his car using a service from Halfords. It's a simple enough process – pick a tire online, select a date, then wait. A helpful confirmation email arrived with a link for order tracking. A curious soul, Hatton looked at what was happening behind the scenes when clicking the link and "noticed some API calls that seemed ripe for an IDOR" [Insecure Direct Object Reference].

    Continue reading

Biting the hand that feeds IT © 1998–2022