Google has fixed multiple severe security loopholes in its latest release of Chrome for Windows, macOS, Linux and Android. According to Google, one of the fixes was for a zero-day vulnerability. Zero-days are vulnerabilities unknown to those who developed the system. Google has withheld some details about the flaws in order to ensure that users can apply the latest update to fix these flaws. This is also being done to ensure that hackers can misuse information about the zero-day flaws to create exploits.
Google Chrome version 103.0.5060.114 fixes all four of the detected vulnerabilities and it will be rolled out over the next few days. Amongst the four, three vulnerabilities have been high severity: CVE-2022-2294, CVE-2022-2295, and CVE-2022-2296.
Ideally, you should look out for the latest updates for Chrome on whatever platform or OS you are using it on to ensure that your browser is safe and has been patched for these vulnerabilities. You can always go to Chrome settings in the browser and check for ‘About Chrome’. If a new update has come it should show or it will get applied automatically.
The Google blog post announcing the update says, “Google is aware that an exploit for CVE-2022-2294 exists in the wild,” which means that it is a zero-day vulnerability. The vulnerability was reported by Jan Vojtesek from the Avast Threat Intelligence team on July 1. Google described it as a “heap buffer overflow” in Chrome’s WebRTC component.
Google also released Chrome for Android version 103.0.5060.71 which fixes three security vulnerabilities, including CVE-2022-2294 and CVE-2022-2295. The company said that the updated version of the browser for Android will be available on the Play Store in the next few days.
In February this year, CERT-IN (Computer Emergency Response Team), the cybersecurity arm of the Indian government warned the public that Chrome OS could be exploited by hackers who could “bypass several restrictions and execute arbitrary code” to gain full access of the browser due to security vulnerabilities. CERT-IN recommended that users update their browsers to the latest version to avoid security issues.