Google has released an update for the Windows version of its Chrome web browser to fix an actively exploited zero-day vulnerability in the wild.
The high severity bug, tracked as CVE-2022-2294, has been fixed with the latest version of Chrome (103.0.5060.114), reports BleepingComputer.
Google Chrome usually updates automatically, as soon as the user opens the browser, so it's likely that many installations have already been patched (opens in a new tab). However, Google says that the solution may take several weeks to reach the rest.
short of details
Meanwhile, Google is withholding details about the vulnerability and its exploitation, so as not to give cybercriminals any insight. We'll have to wait a bit longer to learn more about the malware (opens in a new tab) used to exploit the flaw.
"Access to bug details and links may be restricted until most users are updated with a fix," Google said. "We will also keep the restrictions if the bug exists in a third-party library that other projects similarly depend on, but has not yet been fixed."
We know that the flaw is a high-severity buffer overflow weakness, discovered by Jan Vojtesek of Avast, in the WebRTC (Web Real-Time Communications) component.
Hackers who successfully exploit this bug can crash programs and execute arbitrary code on affected endpoints.
This isn't the first zero-day bug that Google fixes this year. In fact, it is the fourth, after CVE-2022-0609 (patched in February), CVE-2022-1096 (patched in March), and CVE-2022-1364 (patched in April).
The first of the group was operated by North Korean state-sponsored actors, investigators said at the time.
Admins are advised to keep an eye on Chrome and make sure to install the patch, if the browser doesn't do it automatically.
Via BleepingComputer (Opens in a new tab)