Google has now patched the second actively exploited zero-day vulnerability in its Chrome browser this year.
Most of the details about the security vulnerability were left unpublished by Google, but the company confirmed it was a type confusion flaw, tracked as CVE-2022-1096, found in the V8 Javascript engine.
Type confusion issues occur when a product’s code is fed objects that aren’t verified, and using these objects without type-checking can create type confusion. In some cases, code execution can be achieved when wrong function pointers or data are fed into certain parts of a codebase.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” said Google Chrome in a blog post. “We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.”
The Google Chrome Stable Channel has been updated to version 99.0.4844.84 across Windows, Mac, and Linux, and users should start to see their browsers update “over the coming days/weeks,” Google said.
The vulnerability was reported on 23 March which prompted a swift response from Google Chrome which released a patch two days later on 25 March.
Being based on the Chromium engine, Microsoft released a separate notice informing Edge browser users that it was also vulnerable to the zero-day exploit. Microsoft rolled out a patch on 26 March for its browser.
RELATED RESOURCE
Introducing the zero trust edge model for security and network services
Get a better understanding of emerging zero trust solutions
FREE DOWNLOAD
The latest patch fixes the second zero-day vulnerability found in the Chrome browser in nearly as many months. Google released a wave of patches earlier in February addressing seven high-severity security issues among which was the first zero-day of the year.
Tracked as CVE-2022-0609 and carrying a CVSSv3 score of 9.8/10, the initial zero-day was also under active exploitation at the time of discovery and was a UAF in animation flaw - such vulnerabilities can typically lead to code execution on victim machines.
-
Why keeping track of AI assistants can be a tricky businessColumn Making the most of AI assistants means understanding what they can do – and what the workforce wants from them
-
Nvidia braces for a $5.5 billion hit as tariffs reach the semiconductor industryNews The chipmaker says its H20 chips need a special license as its share price plummets
-
Open source security in the spotlight as UK gov publishes fresh guidanceNews The UK government has issued guidance on how organizations should manage their use of open source software components and mitigate supply chain risks.
-
86% of enterprise codebases contain open source vulnerabilitiesNews Research from Black Duck’s annual open source security report found 86% of codebases contained open source vulnerabilities.
-
Flaws in a popular dev library could let hackers run malicious code in your MongoDB databaseNews A popular third party library of MongoDB could allow attackers to execute malicious code on company servers.
-
Microsoft defends “negligent” security approach that prolonged vulnerability fix for five monthsNews The tech giant has refuted claims that its practices have left customers “in the dark”
-
Zero Trust myths: Fact or fiction?Whitepaper What the myths get right and wrong about Zero Trust
-
ZTNA vs on-premises VPNWhitepaper How ZTNA wins the network security game
-
A roadmap to Zero Trust with Cloudflare and CrowdStrikeWhitepaper Achieve end-to-end protection across endpoints, networks, and applications
-
Spanish spyware outfit uncovered, develops exploits for Windows, Chrome, and FirefoxNews Google was only able to discover the company after an anonymous submission was made to its Chrome bug reporting programme
