IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Google Chrome update fixes zero-day under active exploitation

Google releases a fresh wave of patches for severe vulnerabilities that could facilitate code execution and system takeover via Google Chrome

Google has released a fresh wave of patches for seven high-severity security issues affecting Google Chrome, including one zero-day vulnerability under active exploitation.

The latest stable build (98.0.4758.102) for Windows, Mac, and Linux brings with it a total of 11 security fixes, with many of the highest-severity flaws relating to use after free (UAF) vulnerabilities.

The zero-day, tracked as CVE-2022-0609 and carrying a CVSSv3 score of 9.8/10, is a UAF in animation vulnerability which Google says is under active exploitation in the wild.

Discovered by Google's Threat Analysis Group researchers, Adam Weidemann and Clément Lecigne, very few details of the security flaw have been revealed but UAF vulnerabilities typically facilitate attacks such as arbitrary code execution and data corruption in unpatched software, and can lead to the takeover of a victim's machine.

UAF vulnerabilities relate to incorrect use of dynamic memory in software. Dynamic memory allocation is used by programmers to store large amounts of data within running software and blocks of data are reallocated repeatedly. 

Programmes use headers to check which sections of dynamic memory are free and UAF vulnerabilities can be exploited when programmes don't manage these headers properly. These flaws allow an attacker to substitute code in place of cleared data in dynamic memory if a pointer isn't cleared after data is moved to a different block.

The majority of the high-severity vulnerabilities in the latest wave of patches relate to UAF in various components of Google Chrome. One exists in File Manager (CVE-2022-0603), another in the Webstore API (CVE-2022-0605), one in ANGLE (CVE-2022-0606), and finally one in GPU (CVE-2022-0607), as well as the zero-day.

Among the other most serious flaws available in the latest stable build is CVE-2022-0608, an integer overflow flaw in Mojo. Reported by Google Project Zero's Sergei Glazunov, integer overflow attacks occur when an arithmetic-based process within a programme returns a value greater than the range set by the target variable can hold.

Related Resource

Software-defined storage for dummies

Control storage costs, enable hybrid cloud and simplify storage management

Whitepaper cover with cartoon face of man wearing glasses in a yellow circle, with blue, black and yellow backgroundFree Download

Such vulnerabilities can lead to data theft, data exfiltration, a complete takeover of a system, or simply prevent the application from running properly.

Google said the update will be rolling out automatically over the coming days and weeks for all operating systems, but concerned users can force an update immediately to the latest version by navigating to the Google Chrome menu in the top right corner of the browser, hovering over 'Help', and selecting the 'About Google Chrome' menu, or by typing 'chrome://settings/help' into the URL bar.

Featured Resources

Meeting the future of education with confidence

How the switch to digital learning has created an opportunity to meet the needs of every student, always

Free Download

The Total Economic Impact™ of IBM Cloud Pak® for Watson AIOps with Instana

Cost savings and business benefits

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

Technology reimagined

Why PCaaS is perfect for modern schools

Free Download

Recommended

Google adds new security vendor plugins for Chrome, improved Chrome OS policy controls for IT admins
operating systems

Google adds new security vendor plugins for Chrome, improved Chrome OS policy controls for IT admins

27 May 2022
Google Chrome branded the least effective browser for stopping phishing attacks
phishing

Google Chrome branded the least effective browser for stopping phishing attacks

26 May 2022
Google patches second Chrome browser zero-day of 2022
zero-day exploit

Google patches second Chrome browser zero-day of 2022

28 Mar 2022
Lenovo IdeaPad Duet 5 Chromebook review: A confident convertible
Laptops

Lenovo IdeaPad Duet 5 Chromebook review: A confident convertible

14 Mar 2022

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

7 Jun 2022
Delivery firm Yodel disrupted by cyber attack
cyber attacks

Delivery firm Yodel disrupted by cyber attack

21 Jun 2022
Swift exit: How the world cut off Russian banks
finance

Swift exit: How the world cut off Russian banks

24 Jun 2022