Google is pushing out an emergency patch for its Chrome browser on multiple platforms, including Windows, Linux, and Mac to protect against a
zero-day vulnerability that is being actively exploited in the wild. Applying the patch updates the browser to version 100.0.4896.127, and more importantly it protects users from what's described as a Type Confusion attack vector in Chrome's V8 JavaScript engine.
As is typical with this sort of thing,
Google is not divulging specifics about the zero-day threat until a large portion of Chrome users have applied the patch. That could take a little bit—Google said it is rolling out the update over the coming days and weeks. All we know is that it's rated "High" in severity.
You don't have to wait, though. If Chrome hasn't fetched the patch automatically on your system, you can expedite the update by clicking the three vertical dots in the upper-right corner and navigating to Help > About Chrome. This will prompt Chrome to download the latest update. Then hit Relaunch to apply the patch. Chrome will restore any tabs you had open (save for any Incognito windows), though save any work first, such as if you're typing directly into a CMS.
Google made exceptionally quick work in coding a patch for this zero-day. According to Shane Huntley, head of Google's Threat Analysis Group, the zero-day bug was patched out just a day after it was reported. The patch also includes "various fixes from internal audits, fuzzing, and other initiatives."
The latest emergency patch follows two other zero-day threats that were stomped out in Chrome this year. There was another Type Confusion flaw in V8 that was
patched in March (CVE-2022-1096), and a remote execution vulnerability
patched in February (CVE-2022-0609) that was being exploited by North Korean government-backed attacker groups.
Good work by Google in rolling out this latest patch so quickly. Chrome is the most widely used browser in the world, with an estimate from last year noting there are around 3.3 billion people who use Chrome.