Google published a new security update for the stable channel of the company’s Chrome web browser that addresses several security issues. One of the security issues is exploited in the wild, according to Google.
Windows users of Chrome will receive the update to Chrome 103.0.5060.114 in the coming days and weeks. Since one of the issues is exploited in the wild, it is recommended to force Chrome to update to protect the device and its data from attacks.
To do so, launch chrome://settings/help in the address bar of the browser, or open the page manually by selecting Menu > Help > About Google Chrome.
Google Chrome displays the current version on the page that opens. A check for updates is run, and any new version is downloaded and installed automatically. Note that Chrome needs to be restarted to complete the installation of the update.
As far as security issues are concerned, Chrome 103’s update fixes four in total as revealed on the Chrome Releases website. Only three of those are listed on the page, as Google is not listing issues that it discovered internally.
Chrome 103_0-day security update
The three listed security vulnerabilities are:
- High CVE-2022-2294: Heap buffer overflow in WebRTC. Reported by Jan Vojtesek from the Avast Threat Intelligence team on 2022-07-01
- High CVE-2022-2295: Type Confusion in V8. Reported by avaue and Buff3tts at S.S.L. on 2022-06-16
- High CVE-2022-2296: Use after free in Chrome OS Shell. Reported by Khalil Zhani on 2022-05-19
All three issues are rated with a severity of high, which is the second highest after critical. Google notes that exploits for CVE-2022-2294 exist in the wild. The description reveals that the attack targets a security issue in WebRTC, which stands for Web Real-Time Communications. It is a component in modern web browsers that is used for various communication tasks and services.
Google did not share additional information at the time. Security vulnerability information is locked and only available to certain Google employees and researchers. The main reason for that is that Google does not want other malware actors to use the information to create exploits targeting it. Since Chrome updates take days or weeks to reach the bulk of installations, it is done to protect unpatched devices.
Chrome users should install the update as soon as possible to protect the device against the exploit. It is the fourth 0-day vulnerability that has been patched by Google in the browser in 2022.