Zero-day puts a dent in Chrome’s mojo

On Friday, Google announced the release of a new version of its Chrome browser that includes a security fix for a zero-day tracked as CVE-2022-3075. As with previous announcements, technical details about the vulnerability won’t be released until a certain number of Chrome users have already applied the patch.

Google is urging its Windows, Mac, and Linux users to update Chrome to version 105.0.5195.102.

CVE-2022-3075 is described as an “[i]nsufficient data validation in Mojo”. According to Chromium documents, Mojo is “a collection of runtime libraries” that facilitates interfacing standard, low-level interprocess communication (IPC) primitives. Mojo provides a platform-agnostic abstraction of these primitives, which comprise most of Chrome’s code.

An anonymous security researcher is credited for discovering and reporting the flaw.

CVE-2022-3075 is the sixth zero-day Chrome vulnerability Google had to address. The previous ones were:

  • CVE-2022-0609, a Use-after-Free (UAF) vulnerability, which was patched in February
  • CVE-2022-1096, a “Type Confusion in V8” vulnerability, which was patched in March
  • CVE-2022-1364, a flaw in the V8 JavaScript engine, which was patched in April
  • CVE-2022-2294, a flaw in the Web Real-Time Communications (WebRTC), which was patched in July
  • CVE-2022-2856, an insufficient input validation flaw, which was patched in August

Google Chrome needs minimum oversight as it updates automatically. However, if you’re in the habit of not closing your browser or have extensions that may hinder Chrome from automatically doing this, please check your browser every now and then.

Once Chrome notifies you of an available update, don’t hesitate to download it. The patch is applied once you relaunch the browser.

Stay safe!

https://blog.malwarebytes.com/feed/