Google released an out-of-band security update on Friday to fix a high-severity vulnerability in its Chrome browser that is being actively exploited in the wild, according to the company.
The zero-day vulnerability, identified as CVE-2022-1096, is a type misunderstanding vulnerability in the V8 JavaScript engine. On March 23 2022 an anonymous researcher was credited with disclosing the problem.
In languages that are not memory safe, such as C and C++, type confusion errors, which occur when a resource (e.g. a variable or an object) is accessed using a type that is incompatible with what was originally initialised. This could have serious consequences allowing a malicious actor to perform out-of-bounds memory access.
If the allocated buffer is smaller than the type that the function is attempting to access it could read or write memory beyond of the confines of the buffer. Resulting in a crash and perhaps code execution according to MITRE’s Common Weakness Enumeration (CWE).
The tech giant admitted that an exploit for CVE-2022-1096 exists in the wild. However they declined to provide any details in order to avoid further exploitation and until the bulk of customers have been updated with a remedy.
CVE-2022-1096 is Google’s second zero-day vulnerability in Chrome since the beginning of the year. The first being CVE-2022-0609 a use-after-free flaw in the Animation component that was patched on February 14, 2022.
Google’s Threat Analysis Group (TAG) revealed details of a parallel effort orchestrated by North Korean. They use their nation-state organisations to target U.S.-based firms in the news media, IT, cryptocurrency and finance industries earlier last week.
To avoid any potential dangers Google Chrome users should update to the current version 99.0.4844.84 for Windows, Mac and Linux. Users of Chromium-based browsers such as Microsoft Edge, Opera, and Vivaldi should also update as soon as the updates are released.