Skip to content
Naked Security Naked Security

Google patches “in-the-wild” Chrome zero-day – update now!

Running Chrome? Do the "Help-About-Update" dance move right now, just to be sure...

Google’s latest update to the Chrome browser fixes a varying number of bugs, depending on whether you’re on Android, Windows or Mac, and depending on whether you’re running the “stable channel” or the “extended stable channel“.

Don’t worry if you find the the plethora of Google blog posts confusing…

…we did too, so we’ve tried to come up with an all-in-one summary below.

The Stable channel is the very latest version, including all new browser features, currently numbered Chrome 103.

The Extended Stable channel identifies itself as Chrome 102, and doesn’t have the latest features but does have the latest security fixes.

Three CVE-numbered bugs are listed across the three bulletins listed above:

  • CVE-2022-2294: Buffer overflow in WebRTC. A zero-day hole, already known to the cybercrime fraternity and actively exploited in the wild. This bug appears in all versions listed above: Android, Windows and Mac, in both “stable” and “extended stable” flavours. WebRTC is short for “web real-time communication”, which is used by many audio and video sharing services you use, such as those for remote meetings, webinars and online phone calls.
  • CVE-2022-2295: Type confusion in V8. The term V8 refers to Google’s JavaScript engine, used by any website that includes JavaScript code, which, in 2022, is almost every website out there. This bug appears in Android, Windows and Mac, but apparently in the Chrome 103 flavour (“stable channel”) only.
  • CVE-2022-2296: Use-after-free in Chrome OS Shell. This is listed as applying to the “stable channel” on Windows and Mac, although the Chrome OS shell is, as the name suggests, part of Chrome OS, which is neither Windows nor Mac based.

Additionally, Google has patched against a bunch of non-CVE-numbered bugs that are collectively labelled with Bug ID 1341569.

These patches provide a slew of proactive fixes based on “internal audits, fuzzing and other initiatives”, which very probably means that they weren’t previously known to anyone else, and therefore never were (and no longer can be) turned into zero-day holes, which is good news.

Linux users haven’t had a mention in this month’s bulletins yet, but it’s not clear whether that’s because none of these bugs apply to the Linux codebase, because the patches aren’t quite ready yet for Linux, or because the bugs aren’t considered important enough to get Linux-specific fixes.

Bug types explained

To give you a very quick glossary of the important bug categories above:

  • Buffer overflow. This means that data supplied by an attacker gets dumped into a block of memory that isn’t big enough for the amount that was sent. If the extra data ends up “spilling over” into memory space already used by other parts of the software, it may (or in this case, does) deliberately and treacherously affect the behaviour of the browser.
  • Type confusion. Imagine that you are supplying data such as “price of product” that the browser is supposed to treat as a simple number. Now imagine that you can later trick the browser into using the number you just supplied as if it were a memory address or a text string instead. A number that passed the check to make sure it was legal price probably isn’t a valid memory address or text string, and would therefore not have been accepted without the ruse of sneaking it in under the guise of a a different data type. By feeding in data that’s “valid-when-checked-but-invalid-when-used”, an attacker could deliberately subvert the behaviour of the browser.
  • Use-after-free. This means that one part of the browser incorrectly carries on using a block of memory after it has been handed back to the system for reallocation elsewhere. As a result, data that’s already been checked for safety (by the code that assumes it “owns” the memory concerned) could end up sneakily modified just before it gets used, thus treacherously affecting the behaviour of the browser.

What to do?

Chrome will probably update itself, but we always recommend checking anyway.

On Windows and Mac, use More > Help > About Google Chrome > Update Google Chrome.

On Android, check that your Play Store apps are up-to-date.

After updating, you’re looking for version 102.0.5005.148 if you’re on the “extended stable” release; 103.0.5060.114 if you’re on the “stable” track; and 103.0.5060.71 on Android.

On Linux, we’re not sure what version number to look out for, but you might as well do the Help > About > Update security dance anyway, to ensure you’ve got the latest version available right now.


2 Comments

I always wish these security issues with Chrome would mention if they only affected Chrome specifically or do they affect all Chromium based browsers? I realize Chrome has a commanding market share but most other browsers out there, use a form of Chrome as their base. Nobody ever says, this also affects Edge, Brave, Opera and other Chromium browsers??

I suppose Google’s approach, because Chrome is their own proprietary product, is that the other browser makers should speak for themselves. My assumption is, unless there is specific evidence to the contrary, that Edge etc. are vulnerable, although perhaps not exploitable with exactly the same sort of attack when there’s a zero-day involved.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?