Click to Skip Ad
Closing in...

Update Chrome right now to patch a dangerous zero-day bug

Published Mar 28th, 2022 12:33PM EDT
Google rolled out the Chrome OS 96 update for Chromebooks in December.
Image: Google

If you buy through a BGR link, we may earn an affiliate commission, helping support our expert product labs.

Not every stable channel update for Google Chrome contains exciting new features, but that doesn’t mean you should ignore them. Keeping your software up to date is vitally important, as malicious actors are always finding new bugs to exploit. Speaking of which, Google rolled out Chrome version 99.0.4844.84 last Friday to address a new zero-day bug.

Chrome update patches zero-day bug

As Google’s Prudhvikumar Bommana noted in a blog post on Friday, the company is aware that an exploit for CVE-2022-1096 exists in the wild.

Bleeping Computer notes that the zero-day bug is a high-severity type confusion weakness in Chrome’s V8 JavaScript engine. An anonymous source reported the bug to Google on March 23rd, just two days before the update rolled out.

If an attacker is able to exploit a type of confusion vulnerability, it could potentially allow them to execute arbitrary code in the browser. They can also view, edit, or delete data if they have the necessary privileges. We’re unsure how attackers could exploit this specific bug, though, because Google wants everyone to update Chrome before sharing details.

“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Google explains. “We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven’t yet fixed.”

Other recent exploits

This is the second major Chrome vulnerability that Google has had to patch in 2022. As noted by Bleeping Computer, North Korean state hackers exploited a zero-day bug for over a month. Google finally got around to patching it in February. The hackers used emails as well as fake and compromised websites to trick targets into triggering the exploit.

“The attackers made use of an exploit kit that contained multiple stages and components in order to exploit targeted users,” Google revealed. “The attackers placed links to the exploit kit within hidden iframes, which they embedded on both websites they owned as well as some websites they compromised.”

The hacker groups targeted more than “250 individuals working for 10 different news media, domain registrars, web hosting providers and software vendors.” Google’s Threat Analysis Group (TAG) said the activity was consistent with the cyberespionage campaign Operation Dream Job. Attackers would lure in victims with fake job offers from major defense and aerospace companies. Some of the fake domains attempted to mirror ZipRecruiter, Indeed, and DisneyCareers.

How to update your Chrome browser

Chrome doesn’t always apply the latest updates when you open the browser, so if you want to check and see which version you are running, go to Settings and then About Chrome at the bottom of the menu bar on the left side of the screen.

If you are already running the latest version of the browser, then you are good to go. If not, you should begin the process of updating as soon as possible. Once it finishes downloading, click the Relaunch button to finish updating.

Jacob Siegal
Jacob Siegal Associate Editor

Jacob Siegal is Associate Editor at BGR, having joined the news team in 2013. He has over a decade of professional writing and editing experience, and helps to lead our technology and entertainment product launch and movie release coverage.

More Tech