Not every stable channel update for Google Chrome contains exciting new features, but that doesn’t mean you should ignore them. Keeping your software up to date is vitally important, as malicious actors are always finding new bugs to exploit. Speaking of which, Google rolled out Chrome version 99.0.4844.84 last Friday to address a new zero-day bug.
Chrome update patches zero-day bug
As Google’s Prudhvikumar Bommana noted in a blog post on Friday, the company is aware that an exploit for CVE-2022-1096 exists in the wild.
Bleeping Computer notes that the zero-day bug is a high-severity type confusion weakness in Chrome’s V8 JavaScript engine. An anonymous source reported the bug to Google on March 23rd, just two days before the update rolled out.
If an attacker is able to exploit a type of confusion vulnerability, it could potentially allow them to execute arbitrary code in the browser. They can also view, edit, or delete data if they have the necessary privileges. We’re unsure how attackers could exploit this specific bug, though, because Google wants everyone to update Chrome before sharing details.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Google explains. “We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven’t yet fixed.”
Other recent exploits
This is the second major Chrome vulnerability that Google has had to patch in 2022. As noted by Bleeping Computer, North Korean state hackers exploited a zero-day bug for over a month. Google finally got around to patching it in February. The hackers used emails as well as fake and compromised websites to trick targets into triggering the exploit.
“The attackers made use of an exploit kit that contained multiple stages and components in order to exploit targeted users,” Google revealed. “The attackers placed links to the exploit kit within hidden iframes, which they embedded on both websites they owned as well as some websites they compromised.”
The hacker groups targeted more than “250 individuals working for 10 different news media, domain registrars, web hosting providers and software vendors.” Google’s Threat Analysis Group (TAG) said the activity was consistent with the cyberespionage campaign Operation Dream Job. Attackers would lure in victims with fake job offers from major defense and aerospace companies. Some of the fake domains attempted to mirror ZipRecruiter, Indeed, and DisneyCareers.
How to update your Chrome browser
Chrome doesn’t always apply the latest updates when you open the browser, so if you want to check and see which version you are running, go to Settings and then About Chrome at the bottom of the menu bar on the left side of the screen.
If you are already running the latest version of the browser, then you are good to go. If not, you should begin the process of updating as soon as possible. Once it finishes downloading, click the Relaunch button to finish updating.
