Google has released Chrome 108.0.5359.94/.95 for Windows, Mac and Linux users to address a single high-severity security vulnerability that had already been exploited in the wild on at least nine occasions this year.
Google says in a security advisory that there is an exploit for CVE-2022-4262 in the wild.
Google has said that they’ve begun rolling out the new version to users in the Stable Desktop channel and will reach the entire user base within a matter of days or weeks.
In the event any new version of Chrome is released, our systems would have automatically updated to the latest release as soon as we checked for new updates from the Chrome menu > Help > About Google Chrome.
When the browser updates, they will happen automatically and require no user interaction.
Chrome V8 has a type confusion vulnerability that could be exploited to inject arbitrary code and target a privileged process such as Chrome’s browser process.
Although exploiting type confusion vulnerabilities usually leads to browser crashes, threat actors can use them for arbitrary code execution with some tweaking.
Google has acknowledged that it detected attacks exploiting this zero-day, but it hasn’t shared any details about the incidents.
“Google noted that access to bug details and links could be restricted and affect a majority of users until they are updated with a fix”
“If the bug still exists in a third-party library, we will also keep some restrictions until that library has fixed the issue.”
The Chrome update release should give Google Chrome users enough time to upgrade their browsers and protect themselves from any sorts of vulnerabilities in the meantime. More importantly, this allows more cyber attackers to either find or develop new exploits before Google releases a different version of their browser.
This is the ninth Chrome zero-day that has been patched within a year.
This emergency update from Google fixes the ninth Chrome zero-day that has been exploited in the wild since the start of 2019.
The eight zero-day vulnerabilities that have been patched this year are:
- CVE-2022-2856 – August 17
- CVE-2022-2294 – July 4
- CVE-2022-1364 – April 14
- CVE-2022-1096 – March 25
- CVE-2022-0609 – February 14
- CVE-2022-3723 – October 28
- CVE-2022-4135 – November 25