Google has released a Chrome browser update which addresses a zero-day flaw that is currently under active attack. This is the fifth time this year that
Google has put Chrome users in a situation where they should act swiftly to apply a patch to a critical security flaw. If you are a Chrome user, please check that you are running 104.0.5112.102/101 for Windows, or 104.0.5112.101 for Mac and Linux. If not, you can nudge Chrome to update immediately by selecting the triple dot menu in the upper-right corner, then Help, then About Google Chrome.
The latest Chrome update includes not only the headlining security flaw, but 11 critical, high, and medium security fixes in total. The headlining issue is Chrome bug 1345630, which has been tracked as CVE-2022-2856. Until CVE-2022-2856 is patched, it can allow attackers to run arbitrary code on your system. Its almost benign sounding technical description is that it allows “Insufficient validation of untrusted input in Intents,” but do not let your guard down.
Translating the CVE techno-speak to English, ‘Intents’ are a deep linking device used by Google to allow links to open up other apps. Think about links that pop open a video conferencing app, or a torrent app, for example. Google's mechanism in Chrome was too open, and thus open to exploitation. Attackers could craft a form on a web page, and a visitor using an unpatched version of Chrome could then get a dose of
malware. However, Google is prudently holding back on most of the details of the flaw, including how it is being exploited in the wild, as the update rolls out to users who might not keep up with the latest tech news. Remember, you can get the update now if you follow our tip in the intro.
Security focused website
ThreatPost notes that CVE-2022-2856 is the fifth
Chrome vulnerability of 2022, where attackers have been actively seeking to exploit a flaw to reap ill-gotten-gains. The moral of the story is that users should pay particular attention to keeping their web-facing software up to date, and browsers are one of the primary targets of threat actors.