Google issues third emergency fix for Chrome this year

The latest patch is aimed at a type confusion vulnerability that is actively being exploited


Google is issuing fixes for two vulnerabilities in its Chrome web browser, including one flaw that is already being exploited in the wild.

The emergency updates the company issued this week impact the almost three billion users of its Chrome browser as well as those using other Chromium-based browsers, such as Microsoft Edge, Brave and Vivaldi.

It is the third such emergency update Google has had to issue for Chrome this year.

One of the flaws is a type confusion vulnerability tracked as CVE-2022-1364, a high-severity, zero-day bug that is actively being abused by attackers. With a type-confusion flaw, a program will allocate a resource like a pointer or object using one type but later will access the resource using another, incompatible type. In some languages, like C and C++, the vulnerability can result in out-of-bounds memory access.

This incompatibility can cause a browser to crash or trigger logical errors. It can potentially be exploited to execute arbitrary code.

"Depending on the privileges associated with the application, an attacker could view, change, or delete data," according to the Center for Internet Security. "If this application has been configured to have fewer user rights on the system, exploitation of the most severe of this vulnerability could have less impact than if it was configured with administrative rights."

Google in its alert identifies the vulnerability a type confusion in Chromium V8, impacting the JavaScript engine used in the browser.

Clement Lecigne, who is part of Google's Threat Analysis Group (TAG), reported the vulnerability on April 13 and the company announced the fix the same day.

"Google is aware that an exploit for CVE-2022-1364 exists in the wild," the company wrote in the alert.

Google officials did not release many details about the flaw, saying that information and links about the bug are being restricted until a majority of users are updated with the fix, which will bring Chrome to version 100.0.4896.127 across the Windows, Linux and Mac platforms. They also said they "will retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed."

The Chrome updates will be applied in the coming days and weeks, with Chrome automatically installing them when the browser is closed and relaunched.

Google should be getting used to issuing such emergency fixes. In March, both Google and Microsoft issued updates to fix a vulnerability to the Chromium V8 JavaScript engine that was being actively exploited. That vulnerability, tracked as CVE-2022-1096, also was a high-severity bug in Chrome, Edge and other browsers.

A month earlier, Google threat researchers found a flaw that was being abused in the wild, saying it was being exploited as early as Jan. 4. In a report in March, the TAG team said two North Korean-based threat groups were exploiting a remote code execution (RCE) vulnerability in Chrome tracked as CVE-2022-0609 in campaigns dubbed Operation Dream Job and Operation AppleJeus.

The attacks focused on US-based organizations in such sectors as the news media, IT, financial tech and cryptocurrency, though the researchers said other companies in other countries also may have been targeted. ®


Other stories you might like

Biting the hand that feeds IT © 1998–2022