Users of Google Chrome are again being urged to download a latest update to patch a high-severity security bug that is currently being exploited in the wild.
The vulnerability, CVE-2022-3075, is described as an insufficient data validation flaw in Mojo, a collection of runtime libraries that Google says provides “a platform-agnostic abstraction of common IPC primitives, a message IDL format, and a bindings library with code generation for multiple target languages to facilitate convenient message passing across arbitrary inter- and intra-process boundaries.”
The bug was reported on Aug. 30, and the update (105.0.5195.102) was released on Sept. 2.
Few other details about the vulnerability are available, but Google says it is “aware of reports that an exploit for CVE-2022-3075 exists in the wild.”
The company says it is restricting access to further information about the vulnerability until a majority of users update and fix the flaw.
“We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed,” the company says.
This is the sixth zero-day security bug in Chrome that Google has addressed this year. According to cybersecurity firm Malwarebytes, the others were:
- CVE-2022-0609, a Use-after-Free (UAF) vulnerability, which was patched in February
- CVE-2022-1096, a “Type Confusion in V8” vulnerability, which was patched in March
- CVE-2022-1364, a flaw in the V8 JavaScript engine, which was patched in April
- CVE-2022-2294, a flaw in the Web Real-Time Communications (WebRTC), which was patched in July
- CVE-2022-2856, an insufficient input validation flaw, which was patched in August
Admins should make sure that all users update their browser, especially if users are not in the habit of closing Chrome, as it updates automatically upon relaunch.
Leave a Reply