Google has released Chrome 103.0.5060.114 for Windows users to address a high-severity zero-day vulnerability.
Google said the exploit (CVE-2022-2294) affects Windows and Android users, admitting that "Google is aware that an exploit for CVE-2022-2294 exists in the wild." The company also confirmed two further High-level security threats.
The zero-day bug fixed is a heap-based buffer overflow weakness in the WebRTC (Web Real-Time Communications) component, reported by Jan Vojtesek of the Avast Threat Intelligence team. WebRTC is an open-source project that allows for real-time voice, text and video communications capabilities between web browsers and devices.
The zero-day vulnerability is a serious vulnerability that could lead to arbitrary remote code execution by simply visiting a malicious website, according to Patrick Tiquet, Vice President, Security & Architecture at Keeper Security. "This could enable an attacker to perform a variety of actions on a target system, such as install malware or steal information."
Tiquet recommends that Windows and Android Chrome users ensure that they install the latest updates to protect themselves. "Web browsers are essential applications that nearly all cloud-based services have in common and are therefore high-priority targets — compromise of a web browser could be leveraged to compromise any cloud-based service accessed by that browser," Tiquet says. "Ensuring that web browsers are patched is a user or customer-organization responsibility. Web browsers, if not maintained and patched, can be a weak link in the security of any cloud-based service. Client web-browsers should be particularly concerning to cloud services in this case because they are largely outside of the security controls of the cloud service provider."