Google Patches Critical Chrome Zero-Day Exploited in Wild Attacks

Google announced that Chrome version 103.0.5060.114 for Windows is now available, fixing a high‑severity zero‑day vulnerability that has been exploited in the wild. This is the fourth Chrome zero‑day patched in 2022.

The update is being rolled out through the Stable Desktop channel and may take several days or weeks to reach all users. Users can check for the update via Chrome → Help → About Google Chrome, where the new version appears as immediately available and will be installed automatically on the next launch.

Avast’s threat‑intelligence team reported a recently fixed zero‑day (CVE‑222‑2294) in the WebRTC component, a serious heap‑based buffer overflow.

Google confirmed the zero‑day is being exploited but has not released technical details, stating that access to exploit information is limited until most users have updated, and that similar restrictions apply to third‑party exploits.

This release resolves the fourth Chrome zero‑day of the year. The previously patched vulnerabilities were:

CVE‑2022‑1364 – April 14

CVE‑2022‑1096 – March 25

CVE‑2022‑0609 – February 14

According to Google’s Threat Analysis Group, CVE‑2022‑0609 was used by North‑Korean state‑sponsored actors weeks before the February patch, first observed on January 4. The attackers employed phishing emails, fake job offers, and malicious sites hosting hidden iframes to deliver malware.

Google recommends that users install the latest Chrome update as soon as possible.

Source: https://www.bleepingcomputer.com/news/security/google-patches-new-chrome-zero-day-flaw-exploited-in-attacks/