Google has released an update to its popular Chrome browser to fix four vulnerabilities, including one zero-day current being exploited by attackers.
The new Chrome version 103.0.5060.114 will be rolled out to Windows users over the coming days and weeks, according to a Google advisory.
It includes the high severity CVE-2022-2294, a heap buffer overflow bug in WebRTC. It was reported by Avast researcher Jan Vojtesek on July 1.
“We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel,” Google said. “Google is aware that an exploit for CVE-2022-2294 exists in the wild.”
There was no additional information at the time of writing on how the zero-day is being exploited, by whom and for what purpose.
However, Google released details of two other high-severity vulnerabilities found by external researchers, which it fixed in the update.
CVE-2022-2295 is a type confusion bug in the V8 JavaScript engine, and CVE-2022-2296 is a use-after-free (UAF) flaw in the Chrome OS Shell.
Patrick Tiquet, VP of security & architecture at Keeper Security, explained that CVE-2022-2294 could lead to arbitrary remote code execution simply by visiting a malicious website.
“This could enable an attacker to perform a variety of actions on a target system, such as install malware or steal information. Web browsers are essential applications that nearly all cloud-based services have in common and are therefore high-priority targets – compromise of a web browser could be leveraged to compromise any cloud-based service accessed by that browser,” he added.
“Ensuring that web browsers are patched is a user or customer organization responsibility. Web browsers, if not maintained and patched, can be a weak link in the security of any cloud-based service. Client web browsers should be particularly concerning to cloud services in this case because they are largely outside of the security controls of the cloud service provider.”
This is the fourth Chrome zero-day bug that Google has been forced to fix so far this year after updates in February, March and April.