Microsoft has released an emergency patch for their Edge web browser following the acknowledgment of a zero-day exploit known to be actively used in the wild. The exploit was originally discovered in the Google Chrome browser, but as Microsoft Edge is based on an open-source version of Chrome called Chromium (also vulnerable), MS Edge remains inherently impacted. This issue has far-reaching implications as the Edge, Chrome and Chromium browsers can each run on Windows, MacOS and Linux platforms, casting a wide net for potential harm.

Few details are available surrounding the issue as researchers are likely waiting for a larger userbase to adopt the patch before releasing technical details. However, there are indications that the vulnerability is of a “type confusion” weakness in the JavaScript V8 engine of Chrome-based browsers. Type confusion vulnerabilities are source code errors that allow an application to be tricked into reading unexpected input. Under the right conditions, this bug can cause errors in the app’s memory, allowing an attacker to execute malicious code in the environment.

Microsoft has fixed the bug - deemed CVE-2022-1096 - with an update to Edge browser version 99.0.1150.55, released March 26th, 2022. To ensure your Edge browser has been updated to the latest patched version, click on the three dots on the far-right side of the Edge browser’s window. Click on “Help and Feedback,” followed by “About Microsoft Edge.” Here you can see if your browser is up to date with version 99.0.1150.55. If you see “An update is available”. Select “Download and install to proceed”, then “Download and install”. You will then need to restart the browser after the download completes.

CVE-2022-1096 marks the second zero-day discovery in Chrome-based browsers since the beginning of 2022. Previously, in February, Google and Microsoft issued an emergency patch following the discovery of foreign state actors exploiting a Chrome-based vulnerability during a campaign that lured targeted employees in both the media and tech industry into navigating to vulnerable websites, which would trigger the exploit upon arrival. CVE-2022-0609 was patched on February 10th, 2022, though researchers found signs of active exploitation as far back as January 4th, 2022. Over 300 individuals were said to be targeted in this campaign.

Source: 1, 2, 3