Just two days after a previous update, Google pushed an emergency Chrome update last Friday to deal with a zero-day vulnerability that is already being exploited in the wild. If you use Chrome, the update process is automatic; you just need to restart your browser when it asks for it to take effect. Users of other Chromium-based browsers like Microsoft Edge, Brave, Opera, and Vivaldi should also keep their eyes out for an update. Google is keeping things quiet for security reasons, but here’s what we know.
The vulnerability—catchily called CVE-2022-3075—was only brought to Google’s attention on August 30 by an anonymous security researcher. That the company pushed an emergency security update on September 2 speaks volumes about the severity of the underlying issue. The previous update—coincidentally released on August 30—patched 24 security issues including a different critical zero-day, so it is a big deal that Google felt the need to release an update to address a single vulnerability immediately. This was the sixth zero-day that Google has patched this year.
According to Google, CVE-2022-3075 concerns “insufficient data validation in Mojo,” a collection of important low-level routines in Chromium, which is the browser engine that Google Chrome uses. It is listed as a “critical” vulnerability, which essentially means that an attacker exploiting it is likely to be able to significantly compromise your browser or computer. Depending on the vulnerability, this could mean things like being able to steal passwords or credit card details, install malware on your system, and otherwise do very nasty things. These are the kind of exploits that hackers in movies (or working for national governments) use.
[Related: You need to protect yourself from zero-click attacks]
For now, Google is keeping many details about the vulnerability quiet until a substantial portion of the Chrome user base is safe from exploitation. If it is being used in the wild, Google does not want to highlight its usefulness to bad actors. The bug bounty payout for the anonymous researcher also hasn’t been announced, but could be up to $150,000.
[Related: ‘The Merge’ is happening. Here’s what that means for those in crypto.]
This emergency update, which upgrades Chrome to version 105.0.5195.102 on Windows, Mac, and Linux, rolled out over the last few days. You can check what version of Chrome you are currently using by going to More (the three little dots) > Help > About Chrome. Updates should be downloaded automatically, but you have to restart your browser for it to fully install. If you see the Update button in the top-right corner of your browser, click it. This is a serious security update and worth installing immediately.
If you use other Chromium-based browsers like Microsoft Edge, Brave, Opera, and Vivaldi, you should also update it as soon as possible. All four have updates available that prevent the exploit.