Google issued an emergency patch for a critical vulnerability in its Chrome browser which is already exploited in the wild.
Using this bug (CVE-2022-2294), a remote attacker can execute arbitrary code on the target system and compromise it completely. The vulnerability exists due to a boundary error within WebRTC implementation. The attacker can trick the victim to visit a specially crafted website, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
The bug affects both Android and Windows versions of Google’s browser. The issue was addressed in Chrome 103.0.5060.114 for Windows. For now, the update is available through the Stable Desktop channel, but according to the tech giant, the new version will be rolled out to all users in days or weeks.
Google also fixed the vulnerability in Chrome 103 (103.0.5060.71) for Android. The new version will become available on Google Play over the next few days.
As always, Google haven’t shared any details about this zero-day except the fact that it is exploited by hackers. Any information about the attacks is not available either.
This is the fourth zero-day vulnerability in Chrome fixed by Google in 2022. Previously, the tech giant patched zero-day vulnerabilities CVE-2022-1364 (April 14th), CVE-2022-1096 (March 25th) and CVE-2022-0609 (February 14th).
According to recent Google report, half of 2022's zero-days are the variants of zero-day vulnerabilities patched last year.