Google updates Chrome to squash actively exploited WebRTC Zero Day
How sad – this looks like a fine excuse to avoid video conferences for a while
Google has issued an unexpected update to its Chrome browser to address a zero-day WebRTC flaw that is actively being exploited.
The culprit is CVE-2022-2294, and is a problem in WebRTC – the code that imbues browsers with real-time comms capabilities.
Details of the flaw, number 1341043, are not currently detailed in the Chromium project bug log, and details of the CVE have not been published at the time of writing. But Google's notification of a new browser version describes it as: "Heap buffer overflow in WebRTC. Reported by Jan Vojtesek from the Avast Threat Intelligence team on 2022-07-01."
The fix is installing Chrome 103.0.5060.114 for Windows and Chrome 103.0.5060.71 for Android, both of which will appear soon.
Google says the flaw is under active attack, but offers no insight into how one might detect it or defend against it other than by updating Chrome. Given the nature and purpose of WebRTC, it's probably best not to use browser-based comms tools until you can update.
The Chrome updates also address other flaws, namely:
- CVE-2022-2296, a use after free error in Chrome OS Shell;
All three flaws are rated High severity.
- Google: How we tackled this iPhone, Android spyware
- Microsoft fixes under-attack Windows zero-day Follina
- IETF publishes HTTP/3 RFC to take the web from TCP to UDP
The release of new Chrome cuts is the fourth time in 2022 that Google has needed to issue emergency fixes. Thankfully, Chrome updates itself with little user intervention required, so the software's many millions of users should be protected from these latest issues in short order. Whether they're safe in the long run is another question.
The WebRTC flaw was reported on July 1 and Google's notification of updated Chrome cuts to fix it is dated July 4, suggesting folks on the Chrome team lost a weekend preparing the fix and did so with decent speed. But bad actors can make a lot of mischief in three days … ®
- Advanced persistent threat
- App stores
- Black Hat
- Bug Bounty
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Google AI
- Google Cloud Platform
- Google Nest
- G Suite
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Privacy Sandbox
- Remote Access Trojan
- RSA Conference
- Tavis Ormandy
- Trusted Platform Module
- Zero trust