What you need to know
- Google Chrome has been updated to address a critical zero-day vulnerability.
- The flaw affects the browser’s WebRTC stack, which is under attack.
- The patch should be available to all users in the next few weeks.
Google has issued a patch to address a zero-day vulnerability in a component of Chrome’s real-time communication capabilities. The search giant warns users that it’s already being exploited in the wild.
The latest Chrome update (opens in new tab) (version 103.0.5060.114) for Windows addresses a threat, labeled CVE-2022-2294 (high-severity), which Google says is a critical security risk. The vulnerability affects the browser’s implementation of WebRTC, a standard used in video and voice applications for real-time communications.
Google has warned users that the flaw “exists in the wild,” which means attackers may have already exploited it. It was first discovered by Jan Vojtesek from the Avast Threat Intelligence team on July 1.
“Google is aware that an exploit for CVE-2022-2294 exists in the wild,” the company said in an announcement.
The patch is set to become available to Chrome users on Windows and macOS over the next few weeks. A patch has also been released on Chrome (opens in new tab) for Android phones (version 103.0.5060.71).
Google hasn’t shared any details about the vulnerability until the fix reaches the majority of users.
The vulnerability may lead to program crashes and arbitrary code execution, according to Bleeping Computer (opens in new tab). Worse, attackers can bypass security software if code has already been executed.
The new patch is Google’s fourth Chrome zero-day fix this year. In February, March, and April, the company released separate patches for various vulnerabilities, some of which were exploited by North Korean-backed state hackers.