July 7 Update below. This post was originally published on July 6
Yet another Chrome zero-day security exploit, the fourth this year, has just been confirmed by Google. It warns that hack attacks have been spotted in the wild with Android and Windows users in the crosshairs.
In a 4th of July posting, Google confirmed an update to Chrome 103.0.5060.114 for Windows would start rolling out in the days and weeks to come. While the Chrome browser will automatically update to this patched version, and protection will be in place once the application is restarted, there's a very good reason not to wait this month. That reason is CVE-2022-2294.
What is CVE-2022-2294?
This high-severity security vulnerability, reported by a member of the Avast Threat Intelligence team, is only described as a heap buffer overflow in RTC. Full details are being withheld until such a time that most Chrome users have had a chance to update. The reason that it should be sooner, much sooner in fact, than later is that this is the zero-day threat. It was only reported on 1 July, and Google has rushed to fix it while confirming it "is aware that an exploit for CVE-2022-2294 exists in the wild."
Two other high-severity vulnerabilities have also been confirmed as fixed in this latest update: CVE-2022-2295 (type confusion in V8) and CVE-2022-2296 (use after free in Chrome OS Shell).
Chrome for Android is also under active attack
At the same time, Android users are also being advised to update as soon as possible for the same reason. CVE-2022-2294 also impacts the Android Chrome app, and Google has confirmed that attacks have been spotted in the wild. The protected Chrome for Android version number is 103.0.5060.71, which will be available via Google Play
What Windows users need to do now to protect against this new threat to Google Chrome
Windows users of Chrome need to update right now
Windows users are advised to install the Chrome update as a matter of some urgency. You can do this by heading for the Help|About option in the Chrome menu, forcing an update check, and automatically downloading and installing it as required. Remember that you will not be protected until you restart your browser.
July 7 Update
Hopefully, your copy of Google Chrome for both Windows and Android should have been updated by now. If you tend to keep a desktop browser open for days or weeks on end without shutting down your computer, this doesn't mean an automatic update will actually be protecting you. Restarting your browser will activate that protection or kickstart a download if not already waiting to be installed. The same advice applies to users of other web browsers that use the Chromium engine under the hood. Microsoft Edge is the biggest of these by user number. I have been relatively vocal in the recent past that these critical updates take far too long to arrive with Edge users. A delay of 24 or 48 hours isn't unusual and sometimes has been much longer, and that's time enough for someone to potentially step through that open threat window.
So, I'm very pleased to be able to update this article with the news that Microsoft has already rolled out an update for Edge users. According to Microsoft, version 103.0.1264.49 contains a fix for CVE-2022-2294. That's the zero-day that has already been confirmed as exploited by cyber-criminals. Like Chrome, Edge also updates automatically but requires the same restart to be appropriately activated. So, fire that browser up and ensure you are protected by heading for the 'Help and feedback|About Microsoft Edge' entry in the three-dot menu top right.
