Google pushes emergency Chrome update to fix zero-day used in attacks

Google has released Chrome 98.0.4758.102 for Windows, Mac, and Linux, to fix a high-severity zero-day vulnerability used by threat actors in attacks.

“Google is aware of reports that an exploit for CVE-2022-0609 exists in the wild,” Google said in a security advisory released today.

Google states that the Chrome update will roll out over the coming weeks. However, it is possible to install the update immediately simply by going into the Chrome menu > Help About Google Chrome.

The browser will also automatically check for new updates and install them the next time you close and relaunch Google Chrome.

Google Chrome 98 update
Google Chrome 98 update

Zero-day details not disclosed

The zero-day bug fixed today, tracked as CVE-2022-0609, is described as a “Use after free in Animation” and was assigned a High severity level.

This vulnerability was discovered by Clément Lecigne from Google’s Threat Analysis Group.

Attackers commonly exploit use after free bugs to execute arbitrary code on computers running unpatched Chrome versions or escape the browser’s security sandbox.

While Google said they have detected attacks exploiting this zero-day, it did not share any additional info regarding these incidents or technical details about the vulnerability.

“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Google added.

In addition to the zero-day, this Google Chrome update fixed seven other security vulnerabilities, all but one classified as ‘High’ severity.

First Chome zero-day fixed this year

With this update, Google has addressed the first Chrome zero-day since the start of 2022.

However, we will likely see many more disclosed as the year goes on as there were a total of 16 zero-days patched in 2021:

Because this zero-day is known to have been used by attackers in the wild, is it strongly recommended that everyone install today’s Google Chrome update as soon as possible.

Source: www.bleepingcomputer.com