Google patches yet another Chrome zero-day vulnerability
Google has released a security update for the Chrome browser on Windows, Mac and Linux to fix a newly discovered zero-day vulnerability that is being exploited actively by cyberattacks.
Zero-day vulnerability refers to a vulnerability in a system or device that has been disclosed but is not yet patched.
In a recent report, Google researchers have released Chrome 105.0.5195.102 for Windows, Mac, and Linux users to “address a single high-severity security flaw CVE-2022-307”.
CVE is a programme that aims to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities, with the recent one relating to insufficient data validation in Mojo, a collection of runtime libraries used in Chromium, which powers much of the code behind the Google Chrome browser, it said.
Google researchers said that this is the sixth urged end users to apply the update as soon as possible. The new security patch is set to be rolled out to users over the coming days and weeks. Users are urged to apply the update when Chrome asks them.
Google said that this security issue was found by a security researcher that chose to report it anonymously.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Google said, adding that it will also “retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed”.
“We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel,” said Google.
Meanwhile, Apple had also rolled out new updates to iOS to fix an actively exploited zero-day security vulnerability that it patched earlier this month in newer devices. The vulnerability, found in Apple’s browser engine WebKit, primarily used in its Safari web browser, as well as all iOS web browsers, could have allowed attackers to create malicious Web content that allows remote code execution (RCE) on a user's device.
The update applies to the following models: iPhone 5S, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch 6th generation, the company said.
Apple described the flaw (CVE-2022-32893) as an out-of-bounds write issue in WebKit and acknowledged that the bug is under active exploit, and is urging users of affected devices to update immediately.