Google has released an emergency patch for their Chrome web browser following the acknowledgment of a zero-day exploit known to be actively used in the wild. Few details are available surrounding the issue as researchers are likely waiting for a larger userbase to adopt the patch before releasing technical details. However, there are indications that the vulnerability is of a “type confusion” weakness in the JavaScript V8 engine of Chrome browsers. Type confusion vulnerabilities are source code errors that allow an application to be tricked into reading unexpected input. Under the right conditions, this bug can cause errors in the app’s memory, allowing an attacker to execute malicious code in the environment.
Google has fixed the bug - deemed CVE-2022-1096 - with a Chrome update to stable version 99.0.4844.84. Upon start-up, Chrome will automatically check for updates; however, if you wish to check manually, you can navigate to “menu > settings > about,” which will prompt the browser to look for available updates. Chromium, an open-sourced browser based on Google Chrome, will require an update to version 99.0.4844.84 as well; similarly, Microsoft Edge (Chromium-based) has released an update to patched version 99.0.1150.55 of their browser to address this issue.
CVE-2022-1096 marks the second zero-day discovery in Google Chrome since the beginning of 2022. Previously, in February, Google had issued an emergency patch for Chrome following the discovery of foreign state actors exploiting a vulnerability in Chrome during a campaign that lured targeted employees in both the media and tech industry into navigating to vulnerable websites, which would trigger the exploit upon arrival. CVE-2022-0609 was patched by Google on February 10th, 2022, though researchers found signs of active exploitation as far back as January 4th, 2022. Over 300 individuals were said to be targeted in this campaign.