Google engineers have issued an emergency update for the Chrome browser to fix a high-severity vulnerability that can be exploited with code that’s already available in the wild.
The vulnerability, which Google disclosed on Friday, is the result of “insufficient data validation in Mojo,” a Chrome component for messaging across inter- and intra-process boundaries that exist between the browser and the operating system it runs on. The vulnerability, which is tracked as CVE-2022-3075, was reported to Google last Tuesday by an anonymous party.
“Google is aware of reports that an exploit for CVE-2022-3075 exists in the wild,” the company said. The advisory didn’t provide additional details, such as whether attackers are actively exploiting the vulnerability or are simply in possession of exploit code.
Microsoft’s Edge browser, which is built on the same Chromium engine as Chrome, has also been updated to fix the same flaw.
The emergence of the exploit is the sixth zero-day vulnerability Chrome has succumbed to this year. The previous zero-days are:
- CVE-2022-0609, a Use-after-Free patched in February
- CVE-2022-1096, a “Type Confusion in V8” vulnerability that was patched in March
- CVE-2022-2294, a flaw in the Web Real-Time Communications, which was patched in July
- CVE-2022-2856, an insufficient input validation flaw, which was patched in August
The latest security flaw was addressed with the release of Chrome version 105.0.5195.102, available for Windows, Mac, and Linux. Google’s advisory makes no mention of Chrome for iOS or Android. Like most modern browsers, Chrome, by default, automatically installs patches, so it’s likely most devices with Chrome have already received the update. Users can check by going to Chrome > Settings > About Chrome.
Author: Dan Goodin