IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Google Chrome update fixes zero-day under active exploitation

Google releases a fresh wave of patches for severe vulnerabilities that could facilitate code execution and system takeover via Google Chrome

Google has released a fresh wave of patches for seven high-severity security issues affecting Google Chrome, including one zero-day vulnerability under active exploitation.

The latest stable build (98.0.4758.102) for Windows, Mac, and Linux brings with it a total of 11 security fixes, with many of the highest-severity flaws relating to use after free (UAF) vulnerabilities.

The zero-day, tracked as CVE-2022-0609 and carrying a CVSSv3 score of 9.8/10, is a UAF in animation vulnerability which Google says is under active exploitation in the wild.

Discovered by Google's Threat Analysis Group researchers, Adam Weidemann and Clément Lecigne, very few details of the security flaw have been revealed but UAF vulnerabilities typically facilitate attacks such as arbitrary code execution and data corruption in unpatched software, and can lead to the takeover of a victim's machine.

UAF vulnerabilities relate to incorrect use of dynamic memory in software. Dynamic memory allocation is used by programmers to store large amounts of data within running software and blocks of data are reallocated repeatedly. 

Programmes use headers to check which sections of dynamic memory are free and UAF vulnerabilities can be exploited when programmes don't manage these headers properly. These flaws allow an attacker to substitute code in place of cleared data in dynamic memory if a pointer isn't cleared after data is moved to a different block.

The majority of the high-severity vulnerabilities in the latest wave of patches relate to UAF in various components of Google Chrome. One exists in File Manager (CVE-2022-0603), another in the Webstore API (CVE-2022-0605), one in ANGLE (CVE-2022-0606), and finally one in GPU (CVE-2022-0607), as well as the zero-day.

Among the other most serious flaws available in the latest stable build is CVE-2022-0608, an integer overflow flaw in Mojo. Reported by Google Project Zero's Sergei Glazunov, integer overflow attacks occur when an arithmetic-based process within a programme returns a value greater than the range set by the target variable can hold.

Related Resource

Software-defined storage for dummies

Control storage costs, enable hybrid cloud and simplify storage management

Whitepaper cover with cartoon face of man wearing glasses in a yellow circle, with blue, black and yellow backgroundFree Download

Such vulnerabilities can lead to data theft, data exfiltration, a complete takeover of a system, or simply prevent the application from running properly.

Google said the update will be rolling out automatically over the coming days and weeks for all operating systems, but concerned users can force an update immediately to the latest version by navigating to the Google Chrome menu in the top right corner of the browser, hovering over 'Help', and selecting the 'About Google Chrome' menu, or by typing 'chrome://settings/help' into the URL bar.

Featured Resources

The 3D skills report

Add 3D skills to your creative toolkits and play a sizeable role in the digital future

Free Download

The increasing need for environmental intelligence solutions

How sustainability has become a major business priority and is continuing to grow in importance

Free Download

2022 State of the multi-cloud report

What are the biggest multi-cloud motivations for decision-makers, and what are the leading challenges

Free Download

Solve global challenges with machine learning

Tackling our word's hardest problems with ML

Free Download

Recommended

Spanish spyware outfit uncovered, develops exploits for Windows, Chrome, and Firefox
spyware

Spanish spyware outfit uncovered, develops exploits for Windows, Chrome, and Firefox

1 Dec 2022
Google rolls out patch for high-severity Chrome browser zero day
zero-day exploit

Google rolls out patch for high-severity Chrome browser zero day

25 Nov 2022
Google adds new security vendor plugins for Chrome, improved Chrome OS policy controls for IT admins
operating systems

Google adds new security vendor plugins for Chrome, improved Chrome OS policy controls for IT admins

27 May 2022
Google Chrome branded the least effective browser for stopping phishing attacks
phishing

Google Chrome branded the least effective browser for stopping phishing attacks

26 May 2022

Most Popular

Why energy efficient technology is key to a sustainable business
Sponsored

Why energy efficient technology is key to a sustainable business

16 Jan 2023
Yandex data breach reveals source code littered with racist language
data breaches

Yandex data breach reveals source code littered with racist language

30 Jan 2023
European partners expect growth this year, here are three ways they will achieve it
Sponsored

European partners expect growth this year, here are three ways they will achieve it

17 Jan 2023