Google developers released an urgent fix for Chrome 108.0.5359.94 on Friday. The update addresses a novel, zero-day vulnerability (tracked CVE-2022-4262).
The flaw reportedly affects all versions of the browser, and according to Mike Walters, VP of vulnerability and threat research at Action1, the fix was urgent, as there is already a working exploit for it.
“This fix addresses the ninth zero-day vulnerability in the browser this year. Moreover, it continues an odd pattern of Google fixing a zero-day vulnerability soon after a regular release,” Walters told Infosecurity.
As is customary for Google, details on the vulnerability and exploit have yet to be published.
“Google will not give details about the vulnerability until most users’ browsers are updated, and rightly so,” Walters said. “The severity of this vulnerability can hardly be overstated. That’s why we recommend that you update your Chrome browser as soon as possible.”
While details concerning the flaw are not publicly known, it is known that it is related to type confusion bugs in the V8 JavaScript engine.
“Accordingly, it is very likely that this vulnerability allows remote code execution, which means that a threat actor could cause any script or malware payload to be executed on the victims’ device,” Walters explained.
“In most cases, attackers exploit such vulnerabilities when users visit their malicious site. Then they steal data from the affected devices or create botnets to perform distributed denial-of-service (DDoS) attacks, mine cryptocurrency or send spam.”
At the same time, patching browsers can be problematic, Walters said, since people do not like rebooting their browsers, which is usually needed as part of an update.
“That’s why the best practice for organizations is to automate patching for third-party apps, including browsers, and ensure their IT teams can force reboots remotely in a way that is comfortable to end users,” the executive concluded.
The patch comes less than two weeks from Google’s latest Chrome patch for a zero-day (tracked CVE-2022-4135), which the tech giant addressed on November 24.
