Google has released Chrome 98.0.4758.102 for Windows, Mac, and Linux, to fix a high-severity zero-day vulnerability used by threat actors in attacks.
“Google is aware of reports that an exploit for CVE-2022-0609 exists in the wild,” Google said in a security advisory released today.
Google states that the Chrome update will roll out over the coming weeks. However, it is possible to install the update immediately simply by going into the Chrome menu > Help > About Google Chrome.
The browser will also automatically check for new updates and install them the next time you close and relaunch Google Chrome.
Zero-day details not disclosed
The zero-day bug fixed today, tracked as CVE-2022-0609, is described as a “Use after free in Animation” and was assigned a High severity level.
This vulnerability was discovered by Clément Lecigne from Google’s Threat Analysis Group.
Attackers commonly exploit use after free bugs to execute arbitrary code on computers running unpatched Chrome versions or escape the browser’s security sandbox.
While Google said they have detected attacks exploiting this zero-day, it did not share any additional info regarding these incidents or technical details about the vulnerability.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Google added.
In addition to the zero-day, this Google Chrome update fixed seven other security vulnerabilities, all but one classified as ‘High’ severity.
First Chome zero-day fixed this year
With this update, Google has addressed the first Chrome zero-day since the start of 2022.
However, we will likely see many more disclosed as the year goes on as there were a total of 16 zero-days patched in 2021:
- CVE-2021-21148 – February 4th
- CVE-2021-21166 – March 2nd
- CVE-2021-21193 – March 12th
- CVE-2021-21220 – April 13th
- CVE-2021-21224 – April 20th
- CVE-2021-30551 – June 9th
- CVE-2021-30554 – June 17th
- CVE-2021-30563 – July 15th
- CVE-2021-30632 and CVE-2021-30633 – September 13th
- CVE-2021-37973 – September 24th
- CVE-2021-37976 and CVE-2021-37975 – September 30th
- CVE-2021-38000 and CVE-2021-38003 – October 28th
- CVE-2021-4102 – December 13th
Because this zero-day is known to have been used by attackers in the wild, is it strongly recommended that everyone install today’s Google Chrome update as soon as possible.
Source: Bleeping Computer