This article is more than 1 year old

Google Chrome, Microsoft Edge patched in race against exploitation

Another bug squashed in JavaScript engine

Google Chrome and Microsoft Edge have been updated to patch a security flaw an exploit for which is said to be in the wild.

Whoever has this exploit code can attack vulnerable browsers, leaving Google and Microsoft, and their users, in a race to fix their software before exploitation can occur. Everyone is thus urged to install the latest version to be safe.

Neither of the two cloud giants provided much detail about the vulnerability, CVE-2022-1096, which Google ranked as a "high" severity bug in Chromium's V8 JavaScript engine. Chromium is at the heart of Google Chrome as well as Microsoft Edge.

Google on Friday issued Chrome version 99.0.4844.84 for Windows, Mac and Linux to close the hole in its browser. A day later, Microsoft pushed out an update for Edge.

The only other detail Google offered about the vulnerability, discovered by an anonymous user, was this:

Google is aware that an exploit for CVE-2022-1096 exists in the wild.

The web goliath noted it would restrict access to bug details until "a majority" of its users patched the flaw. "We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed," Google added.

It's not just Chrome and Edge relying on Google's Chromium project: several other products also use its V8 JavaScript engine, so look out for any security updates for these, if necessary. Google says Chrome has about 2.6 billion users, and Edge is separately said to have about 160 million.

Like Google, Microsoft noted an exploit was in the wild and remained tight lipped about further details.

This latest Chromium vulnerability and exploit follows a couple of other high-profile security incidents for both American companies.

In one, North Korean spies exploited a now-patched remote code execution vulnerability in Chrome to target media, IT, cryptocurrency, and fintech organizations, and hijack their devices.

Google's Threat Analysis Group discovered the bug being abused in the wild on February 10, and said there was evidence it was exploited as early as January 4.  

And earlier this month Microsoft admitted that the notorious Lapsus$ cyber-criminal gang — a number of arrests were made last week in connection with the crew — infiltrated its network and made off with some of its source code. 

That admission came days after Lapsus$ bragged on its Telegram channel about stealing source code for Bing and Cortana. Microsoft was one of several big-name victims in Lapsus$'s recent crime spree, which also included attacks against Okta, Nvidia, Samsung, Ubisoft and Vodafone. ®

More about

TIP US OFF

Send us news


Other stories you might like