Google fixes seventh Chrome zero-day exploited in attacks this year

Google has released an emergency security update for the Chrome desktop web browser to address a single vulnerability known to be exploited in attacks.

The high-severity flaw (CVE-2022-3723) is a type confusion bug in the Chrome V8 Javascript engine discovered and reported to Google by analysts at Avast.

“Google is aware of reports that an exploit for CVE-2022-3723 exists in the wild,” highlights the notice.

The company doesn’t provide many details about the vulnerability for security reasons, allowing Chrome’s user base enough time to update the web browser to version 107.0.5304.87/88, which addresses the problem.

“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Google says.

“We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed.”

In general, type confusion vulnerabilities occur when the program allocates a resource, object, or variable using a type and then accesses it using a different, incompatible type, resulting in out-of-bounds memory access.

By accessing memory regions that shouldn’t be reachable from the context of the application, an attacker could read sensitive information of other apps, cause crashes, or execute arbitrary code.

Google does not clarify the level of activity involving the exploit that exists in the wild, so whether attacks using CVE-2022-3723 are widespread or limited is not known at this time.

Chrome users can update their browser by opening Settings → About Chrome → Wait for the download to finish → Restart the program.

Seventh Chrome zero-day fixed this year

Version 107.0.5304.87/88 fixes the seventh zero-day vulnerability fixed since the start of the year.

The previous six are:

• CVE-2022-3075 – September 2nd
• CVE-2022-2856 – August 17th
• CVE-2022-2294 – July 4th
• CVE-2022-1364 – April 14th
• CVE-2022-1096 – March 25th
• CVE-2022-0609 – February 14th

In some cases, like CVE-2022-0609, the flaws were exploited by state-sponsored threat actors for several weeks before Google discovered and patched them.

Hence, Chrome users are strongly advised to update their web browsers as soon as possible to block exploitation attempts.