Google is issuing fixes for two vulnerabilities in its Chrome web browser, including one flaw that is already being exploited in the wild.
The emergency updates the company issued this week impact the almost 3 billion users of its Chrome browser as well as those using other Chromium-based browsers, such as Microsoft Edge, Brave and Vivaldi.
It is the third such emergency update Google has had to issue for Chrome this year.
One of the flaws is a type confusion vulnerability tracked as CVE-2022-1364, a high-severity, zero-day bug that is actively being used by attackers. With a type confusion flaw, a program will allocate a resource like a pointer or object using one type but later will access the resource using another, incompatible type. In some languages, like C and C++, the vulnerability can result in out-of-bounds memory access.
This incompatibility can cause a browser to crash or trigger logical errors. However, if exploited, it could enable a hacker to execute arbitrary code.
“Depending on the privileges associated with the application, an attacker could view, change, or delete data,” according to the Center for Internet Security. “If this application has been configured to have fewer user rights on the system, exploitation of the most severe of this vulnerability could have less impact than if it was configured with administrative rights.”
Clement Lecigne, who is part of Google’s Threat Analysis Group (TAG), reported the vulnerability on April 13 and the company announced the fix the same day.
“Google is aware that an exploit for CVE-2022-1364 exists in the wild,” the company wrote in the alert.
Google officials did not release many details about the flaw, saying that information and links about the bug are being restricted until a majority of users are updated with the fix, which will bring Chrome to version 100.0.4896.127 across the Windows, Linux and Mac platforms. They also said they “will retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.”
The Chrome updates will be applied in the coming days and weeks, with Chrome automatically installing them when the browser is closed and relaunched.
A month earlier, Google threat researchers found a flaw that was being abused in the while, saying it was being exploited as early as Jan. 4. In a report in March, the TAG team said two North Korean-based threat groups were exploiting a remote code execution (RCE) vulnerability in Chrome tracked as CVE-2022-0609 in campaigns dubbed Operation Dream Job and Operation AppleJeus.
The attacks focused on US-based organizations in such sectors as the news media, IT, financial tech and cryptocurrency, though the researchers said other companies in other countries also may have been targeted.®