July 7 update below. This article was originally published on July 6
Another Chrome zero-day security exploit, the fourth this year, has just been confirmed by Google. He warns that hacking attacks have been spotted in the wild with Android and Windows users in the crosshairs.
In a July 4 post, Google has confirmed an update to Chrome 103.0.5060.114 for Windows would begin to unfold in the days and weeks to come. Although Chrome Browser will automatically update to this patched version and protection will be in place once the app is restarted, there is a very good reason not to wait until this month. This reason is CVE-2022-2294.
What is CVE-2022-2294?
This very serious security vulnerability, reported by a member of the Avast Threat Intelligence team, is only described as a buffer overflow in RTC. All details are withheld until most Chrome users have had a chance to update. The reason it should be sooner, much sooner in fact, is because it’s the zero-day threat. It wasn’t reported until July 1, and Google rushed to fix it while confirming that it “is aware that an exploit for CVE-2022-2294 exists in the wild.”
Two other high-severity vulnerabilities have also been confirmed fixed in this latest update: CVE-2022-2295 (type confusion in V8) and CVE-2022-2296 (use-after-release in Chrome OS Shell).
Chrome for Android is also under active attack
At the same time, Android users are also advised to update as soon as possible for the same reason. CVE-2022-2294 also affects Android Chrome app, and Google has confirmed attacks have been spotted in the wild. The protected version number of Chrome for Android is 103.0.5060.71, which will be available through Google Play
What Windows Users Should Do Now to Protect Against This New Threat to Google Chrome
Windows users are advised to install the Chrome update urgently. You can do this by heading to the Help | About the Chrome menu, forcing a check for the update, then automatically downloading and installing it if needed. Remember that you will not be protected until you restart your browser.
July 7 Update
Hopefully your copy of Google Chrome for Windows and Android should have been updated by now. If you tend to keep a desktop browser open for days or weeks without shutting down your computer, that doesn’t mean an automatic update will actually protect you. Restarting your browser will activate this protection or initiate a download if it is not already waiting to be installed. The same advice applies to users of other web browsers that use the Chromium engine under the hood. Microsoft Edge is the largest of them by number of users. I’ve been relatively vocal in the recent past about these critical updates taking far too long to arrive with Edge users. 24 or 48 hours isn’t unusual and has sometimes been much longer, and that’s plenty of time for someone to potentially get through that open threat window.
So I’m very happy to be able to update this article with the news that Microsoft has already rolled out an update for Edge users. According to Microsoft, build 103.0.1264.49 contains a fix for CVE-2022-2294. It is day zero which has already been confirmed to be exploited by cyber criminals. Like Chrome, Edge also updates automatically but requires the same restart to properly activate. So, launch this browser and make sure you’re protected by heading to the “Help & Feedback | About Microsoft Edge” entry in the three-dot menu at the top right.