Google updates Chrome to squash actively exploited WebRTC Zero Day

How sad – this looks like a fine excuse to avoid video conferences for a while


Google has issued an unexpected update to its Chrome browser to address a zero-day WebRTC flaw that is actively being exploited.

The culprit is CVE-2022-2294, and is a problem in WebRTC – the code that imbues browsers with real-time comms capabilities.

Details of the flaw, number 1341043, are not currently detailed in the Chromium project bug log, and details of the CVE have not been published at the time of writing. But Google's notification of a new browser version describes it as: "Heap buffer overflow in WebRTC. Reported by Jan Vojtesek from the Avast Threat Intelligence team on 2022-07-01."

The fix is installing Chrome 103.0.5060.114 for Windows and Chrome 103.0.5060.71 for Android, both of which will appear soon.

Google says the flaw is under active attack, but offers no insight into how one might detect it or defend against it other than by updating Chrome. Given the nature and purpose of WebRTC, it's probably best not to use browser-based comms tools until you can update.

The Chrome updates also address other flaws, namely:

  • CVE-2022-2295, a type confusion in the V8 JavaScript engine used in Chrome;
  • CVE-2022-2296, a use after free error in Chrome OS Shell;

All three flaws are rated High severity.

The release of new Chrome cuts is the fourth time in 2022 that Google has needed to issue emergency fixes. Thankfully, Chrome updates itself with little user intervention required, so the software's many millions of users should be protected from these latest issues in short order. Whether they're safe in the long run is another question.

The WebRTC flaw was reported on July 1 and Google's notification of updated Chrome cuts to fix it is dated July 4, suggesting folks on the Chrome team lost a weekend preparing the fix and did so with decent speed. But bad actors can make a lot of mischief in three days … ®


Other stories you might like

Biting the hand that feeds IT © 1998–2022