3 billion devices are at risk.  Does that include you? (it probably does)

by | Jul 6, 2022 | News, Security

An actively exploited high severity “zero day” cyber-security exploit has been found in the Google Chrome web browser.  

With over 3 billion users it will take some time for the update roll out to everyone.  Meanwhile, everyone who uses Chrome on their PC is exposed. 

Luckily for all our Core Fundamental and Premium KARE clients, the KARE Team are already on to this and have pushed out the update to you already.  We just ask that you URGENTLY stop using Chrome if it open on your screen, close it and reopen it. so the update can take effect.

Organisations that rely on “Windows Update” or “WSUS” don’t have that option, as neither manage updates to non-Microsoft applications such as Chrome.

You can manually chcek though.  From the Chrome menu :  Help > About Google Chrome.  The browser should try to auto-update as well.

Details:

Yesterday, Google released Chrome 103.0.5060.114 to address a high-severity zero-day vulnerability that attackers are currently exploiting in the wild.

Tracked as CVE-2022-2294, the flaw is related to a heap-based buffer overflow weakness in the WebRTC (Web Real-Time Communications) component of Chrome. For its part, WebRTC is a free and open-source project that enables real-time voice, text, and video communications capabilities between web browsers and devices. While Google has yet to share technical details about the bug, the impact of successful heap overflow exploitation can range from program crashes and arbitrary code execution to bypassing security solutions if code execution is achieved during the attack

Analyst comments:

CVE-2022-2294 is the fourth Chrome Zero-day that Google has addressed since the start of 2022. The previous Chrome Zero-day vulnerabilities include two high-severity type-confusion weaknesses (CVE-2022-1364 and CVE-2022-1096) in the Chrome V8 JavaScript engine and one high-severity “Use after free in Animation” bug (CVE-2022-0609). With over 3 billion users on Google Chrome, it will take some time for news of the update to reach the entire userbase. In turn, this provides threat actors enough time to target victims who are still running a vulnerable version of Chrome. Since CVE-2022-2294 is already being exploited in attacks in the wild, users should update their browser to the latest version as soon as possible to prevent further exploitation attempts.

Mitigation:

To update to the latest version of Chrome (103.0.5060.114), click on the Chrome menu > Help > About Google Chrome.

Source:

https://www.bleepingcomputer.com/ne…ew-chrome-zero-day-flaw-exploited-in-attacks/