Google patches “in-the-wild” Chrome zero-day – update now! – Naked Security

Google’s latest update to the Chrome browser fixes a varying number of bugs, depending on whether you’re on Android, Windows or Mac, and depending on whether you’re running the “stable channel” or the “extended stable channel”.

Don’t worry if you find the plethora of Google blog posts confusing…

…we did too, so we’ve tried to come up with an all-in-one summary below.

The Stable channel is the very latest version, including all new browser features, currently numbered Chrome 103.

The Extended Stable channel identifies itself as Chrome 102and doesn’t have the latest features but does have the latest security fixes.

Three CVE-numbered bugs are listed across the three bulletins listed above:

  • CVE-2022-2294: Buffer overflow in WebRTC. A zero-day hole, already known to the cybercrime fraternity and actively exploited in the wild. This bug appears in all versions listed above: Android, Windows and Mac, in both “stable” and “extended stable” flavors. WebRTC is short for “web real-time communication”, which is used by many audio and video sharing services you use, such as those for remote meetings, webinars and online phone calls.
  • CVE-2022-2295: Type confusion in V8. The term V8 refers to Google’s JavaScript engine, used by any website that includes JavaScript code, which, in 2022, is almost every website out there. This bug appears in Android, Windows and Mac, but apparently in the Chrome 103 flavor (“stable channel”) only.
  • CVE-2022-2296: Use-after-free in Chrome OS Shell. This is listed as applying to the “stable channel” on Windows and Mac, although the Chrome OS shell is, as the name suggests, part of Chrome OSwhich is neither Windows nor Mac based.

Additionally, Google has patched against a bunch of non-CVE-numbered bugs that are collectively labelled with Bug ID 1341569.

These patches provide a slew of proactive fixes based on “internal audits, fuzzing and other initiatives”, which very probably means that they weren’t previously known to anyone else, and therefore never were (and no longer can be) turned into zero- day holes, which is good news.

Linux users haven’t had a mention in this month’s bulletins yet, but it’s not clear whether that’s because none of these bugs apply to the Linux codebase, because the patches aren’t quite ready yet for Linux, or because the bugs aren’t considered important enough to get Linux-specific fixes.