The manufacturer has closed several security gaps in the Google Chrome web browser. Attackers are already abusing one of them in the wild.
Google has version 103.0.5060.114 of the web browser Chrome for Windows and closes four security holes. The manufacturer classifies at least three of these as high risk. In addition, there is exploit code in the wild for a vulnerability, the developers write. The updated version 103.0.5060.71 of Chrome for Android is also available, which also closes the actively abused vulnerability.
Exploit code circulating
The bug, for which malicious code is already circulating, is found resides in WebRTC (Web Real-Time Communication), a suite of protocols for web communication (CVE-2022-2294, risk “high”). Avast security researchers discovered it and reported it on July 1st. As usual, Google has not given any further details in order to protect users until they have installed the available update.
Another vulnerability is of the type confusion and affects the JavaScript engine V8 (CVE-2022-2295 , high). In a type confusion, the code allocates or initializes a resource, such as a pointer, object, or variable, with a certain type, but later accesses the resource with an incompatible data type. This can lead to access outside the allocated memory and thus possibly to the execution of injected code.
Another briefly described vulnerability surprisingly affects a Chrome OS shell, which the browser apparently comes with (CVE-2022-2296, high). A use-after-free vulnerability can offer cybercriminals a target here.
Manually trigger browser update
Since one of the vulnerabilities is already being exploited in the wild, users should quickly check Are you using the current version? To do this, they have to click on the “three-point menu” in the upper right corner of the address bar and finally go to “Help” – “About Google Chrome”. Either Chrome will then already display the current version number, or this will trigger the download and installation of the update.
Because the vulnerabilities affect several components that are also used in the underlying Chromium project – such as the JavaScript Engine V8 – providers of other Chromium-based web browsers should also offer updates shortly. About two weeks ago, Google closed 14 other vulnerabilities in the web browser.
