Google Chrome, Microsoft Edge patched in race against exploitation
Google Chrome and Microsoft Edge have been updated to patch a security flaw an exploit for which is said to be in the wild.
Whoever has this exploit code can attack vulnerable browsers, leaving Google and Microsoft, and their users, in a race to fix their software before exploitation can occur. Everyone is thus urged to install the latest version to be safe.
Google on Friday issued Chrome version 99.0.4844.84 for Windows, Mac and Linux to close the hole in its browser. A day later, Microsoft pushed out an update for Edge.
The only other detail Google offered about the vulnerability, discovered by an anonymous user, was this:
Google is aware that an exploit for CVE-2022-1096 exists in the wild.
The web goliath noted it would restrict access to bug details until "a majority" of its users patched the flaw. "We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed," Google added.
Like Google, Microsoft noted an exploit was in the wild and remained tight lipped about further details.
- We blocked North Korea's Chrome exploit, says Google
- Microsoft investigates Lapsus$'s boasts of Bing, Cortana code heist
- China APT group using Russia invasion, COVID-19 in phishing attacks
- CISOs face 'perfect storm' of ransomware and state-supported cybercrime
This latest Chromium vulnerability and exploit follows a couple of other high-profile security incidents for both American companies.
In one, North Korean spies exploited a now-patched remote code execution vulnerability in Chrome to target media, IT, cryptocurrency, and fintech organizations, and hijack their devices.
Google's Threat Analysis Group discovered the bug being abused in the wild on February 10, and said there was evidence it was exploited as early as January 4.
And earlier this month Microsoft admitted that the notorious Lapsus$ cyber-criminal gang — a number of arrests were made last week in connection with the crew — infiltrated its network and made off with some of its source code.
That admission came days after Lapsus$ bragged on its Telegram channel about stealing source code for Bing and Cortana. Microsoft was one of several big-name victims in Lapsus$'s recent crime spree, which also included attacks against Okta, Nvidia, Samsung, Ubisoft and Vodafone. ®