Google Chrome update fixes zero-day under active exploitation

The Chrome app icon on a mobile phone display
(Image credit: Shutterstock)

Google has released a fresh wave of patches for seven high-severity security issues affecting Google Chrome, including one zero-day vulnerability under active exploitation.

The latest stable build (98.0.4758.102) for Windows, Mac, and Linux brings with it a total of 11 security fixes, with many of the highest-severity flaws relating to use after free (UAF) vulnerabilities.

The zero-day, tracked as CVE-2022-0609 and carrying a CVSSv3 score of 9.8/10, is a UAF in animation vulnerability which Google says is under active exploitation in the wild.

Discovered by Google's Threat Analysis Group researchers, Adam Weidemann and Clément Lecigne, very few details of the security flaw have been revealed but UAF vulnerabilities typically facilitate attacks such as arbitrary code execution and data corruption in unpatched software, and can lead to the takeover of a victim's machine.

UAF vulnerabilities relate to incorrect use of dynamic memory in software. Dynamic memory allocation is used by programmers to store large amounts of data within running software and blocks of data are reallocated repeatedly.

Programmes use headers to check which sections of dynamic memory are free and UAF vulnerabilities can be exploited when programmes don't manage these headers properly. These flaws allow an attacker to substitute code in place of cleared data in dynamic memory if a pointer isn't cleared after data is moved to a different block.

The majority of the high-severity vulnerabilities in the latest wave of patches relate to UAF in various components of Google Chrome. One exists in File Manager (CVE-2022-0603), another in the Webstore API (CVE-2022-0605), one in ANGLE (CVE-2022-0606), and finally one in GPU (CVE-2022-0607), as well as the zero-day.

Among the other most serious flaws available in the latest stable build is CVE-2022-0608, an integer overflow flaw in Mojo. Reported by Google Project Zero's Sergei Glazunov, integer overflow attacks occur when an arithmetic-based process within a programme returns a value greater than the range set by the target variable can hold.


Software-defined storage for dummies

Control storage costs, enable hybrid cloud and simplify storage management


Such vulnerabilities can lead to data theft, data exfiltration, a complete takeover of a system, or simply prevent the application from running properly.

Google said the update will be rolling out automatically over the coming days and weeks for all operating systems, but concerned users can force an update immediately to the latest version by navigating to the Google Chrome menu in the top right corner of the browser, hovering over 'Help', and selecting the 'About Google Chrome' menu, or by typing 'chrome://settings/help' into the URL bar.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.