Google Urges Everyone To Patch This Actively Exploited Chrome Flaw ASAP
Yesterday, Google issued a security update on the Stable Channel for the Google Chrome web browser. The bug, labeled as CVE-2022-1096, takes advantage of an issue with variable types in the V8 JavaScript Engine for Google Chrome. According to Google and other security researchers, malware creators are already taking advantage of the vulnerability. As such, Google has issued a statement encouraging all users to update the browser as soon as possible.
While the bug report on Chromium's issue page is locked down, the method of execution is already known. The error is a "type confusion error." Effectively, if a variable or memory location is accessed using the wrong type it can cause a crash or memory out of bounds fault, sometimes allowing arbitrary code execution. It is a common issue in languages that are not considered type-safe, such as C, C++, or even JavaScript, which is where the threat comes from in web browsers. While there is type-safe JavaScript, known as TypeScript, unfortunately, the actual execution on the software running the code still runs as JavaScript itself.
The vulnerability, which as stated, is believed to already be in use, is also present in Chromium, the development form of the Chrome web browser. Chromium is also the basis for numerous other web browsers and applications, including Microsoft Edge, Opera, Vivaldi, Brave, and even the Electron development libraries. As such Google has also stated that they encourage developers to make sure they update and issue patches to their users.
Screenshot of the update panel in Google Chrome
