IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Google Chrome update fixes zero-day under active exploitation

Google releases a fresh wave of patches for severe vulnerabilities that could facilitate code execution and system takeover via Google Chrome

Google has released a fresh wave of patches for seven high-severity security issues affecting Google Chrome, including one zero-day vulnerability under active exploitation.

The latest stable build (98.0.4758.102) for Windows, Mac, and Linux brings with it a total of 11 security fixes, with many of the highest-severity flaws relating to use after free (UAF) vulnerabilities.

The zero-day, tracked as CVE-2022-0609 and carrying a CVSSv3 score of 9.8/10, is a UAF in animation vulnerability which Google says is under active exploitation in the wild.

Discovered by Google's Threat Analysis Group researchers, Adam Weidemann and Clément Lecigne, very few details of the security flaw have been revealed but UAF vulnerabilities typically facilitate attacks such as arbitrary code execution and data corruption in unpatched software, and can lead to the takeover of a victim's machine.

UAF vulnerabilities relate to incorrect use of dynamic memory in software. Dynamic memory allocation is used by programmers to store large amounts of data within running software and blocks of data are reallocated repeatedly. 

Programmes use headers to check which sections of dynamic memory are free and UAF vulnerabilities can be exploited when programmes don't manage these headers properly. These flaws allow an attacker to substitute code in place of cleared data in dynamic memory if a pointer isn't cleared after data is moved to a different block.

The majority of the high-severity vulnerabilities in the latest wave of patches relate to UAF in various components of Google Chrome. One exists in File Manager (CVE-2022-0603), another in the Webstore API (CVE-2022-0605), one in ANGLE (CVE-2022-0606), and finally one in GPU (CVE-2022-0607), as well as the zero-day.

Among the other most serious flaws available in the latest stable build is CVE-2022-0608, an integer overflow flaw in Mojo. Reported by Google Project Zero's Sergei Glazunov, integer overflow attacks occur when an arithmetic-based process within a programme returns a value greater than the range set by the target variable can hold.

Related Resource

Software-defined storage for dummies

Control storage costs, enable hybrid cloud and simplify storage management

Whitepaper cover with cartoon face of man wearing glasses in a yellow circle, with blue, black and yellow backgroundFree Download

Such vulnerabilities can lead to data theft, data exfiltration, a complete takeover of a system, or simply prevent the application from running properly.

Google said the update will be rolling out automatically over the coming days and weeks for all operating systems, but concerned users can force an update immediately to the latest version by navigating to the Google Chrome menu in the top right corner of the browser, hovering over 'Help', and selecting the 'About Google Chrome' menu, or by typing 'chrome://settings/help' into the URL bar.

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

Google patches second Chrome browser zero-day of 2022
zero-day exploit

Google patches second Chrome browser zero-day of 2022

28 Mar 2022
Lenovo IdeaPad Duet 5 Chromebook review: A confident convertible
Laptops

Lenovo IdeaPad Duet 5 Chromebook review: A confident convertible

14 Mar 2022
Acer Chromebook Spin 513 review: Cheap and mostly cheerful
Laptops

Acer Chromebook Spin 513 review: Cheap and mostly cheerful

11 Mar 2022
Google says Chrome is now faster than Safari on Apple Silicon
web browser

Google says Chrome is now faster than Safari on Apple Silicon

8 Mar 2022

Most Popular

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
Researchers demonstrate how to install malware on iPhone after it's switched off
Security

Researchers demonstrate how to install malware on iPhone after it's switched off

18 May 2022
Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022