Google has released Chrome 99.0.4844.84 for Windows, Mac, and Linux users to address a high-severity zero-day bug exploited in the wild.
"Google is aware that an exploit for CVE-2022-1096 exists in the wild," the browser vendor said in a security advisory published on Friday.
The 99.0.4844.84 version is already rolling out worldwide in the Stable Desktop channel, and Google says it might be a matter of weeks until it reaches the entire userbase.
Analyst comments:
This is the second Chrome zero-day Google has addressed since the start of 2022. Tracked as CVE-2022-1096, the new zero-day is related to a high severity type confusion bug in the Chrome V8 JavaScript engine. While Google has yet to release technical details about the zero-day vulnerability, type confusion bugs occur when a program allocates or initializes a resource such as a pointer, object or variable using input of a specific “type”, but later accesses that resource using a different “type” that is incompatible with the original type. Accessing the resource using an incompatible type could trigger logical errors in the browser’s memory. If successfully exploited, the type confusion weakness could lead to out-of-bounds memory access and allow a threat actor to execute arbitrary code in the context of the browser.
Mitigation:
Although Google stated that the vulnerability is being actively exploited in the wild, it hasn’t shared any information regarding these incidents. However, the company has released a patch for the zero-day and is advising users to upgrade to Chrome 99.0.4844.84 as soon as possible to prevent further exploitation attempts.
Source:
https://www.bleepingcomputer.com/ne...date-fixes-zero-day-used-in-attacks/#comments
