Google chrome

Google Chrome, Microsoft Edge updated to close security hole • The Register

Google Chrome and Microsoft Edge have been updated to fix a security flaw that an exploit is believed to be in the wild.

Anyone with this exploit code can attack vulnerable browsers, leaving Google and Microsoft, and their users, in a race to fix their software before it can be exploited. Everyone is therefore advised to install the latest version to be safe.

Neither cloud giant has provided much detail about the vulnerability, CVE-2022-1096, which Google ranked as a “high” severity bug in Chromium’s V8 JavaScript engine. Chromium is at the heart of Google Chrome as well as Microsoft Edge.

Google released Chrome build 99.0.4844.84 for Windows, Mac, and Linux on Friday to patch the hole in its browser. A day later, Microsoft forced out an update for Edge.

The only other detail provided by Google about the vulnerability, discovered by an anonymous user, was as follows:

The web goliath said it would restrict access to bug details until a “majority” of its users fixes the flaw. “We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on but have not yet been fixed,” Google added.

It’s not just Chrome and Edge that rely on Google’s Chromium project: several other products also use its V8 JavaScript engine, so check for security updates for those, if needed. Google says Chrome has about 2.6 billion users, and Edge has about 160 million.

Like Google, Microsoft noted that an exploit was in the wild and remained silent on further details.

This latest Chromium vulnerability and exploit follows a few other high-profile security incidents for the two US companies.

In one, North Korean spies exploited a now-patched remote code execution vulnerability in Chrome to target media, IT, cryptocurrency and fintech organizations, and hijack their devices.

Google Threat Analysis Group discovered the bug was abused in the wild on February 10 and said there was evidence it was exploited as early as January 4.

And earlier this month, Microsoft admitted that the notorious gang of cybercriminals Lapsus$ – several arrests were made last week in connection with the crew – infiltrated its network and seized part of its source code.

The admission came days after Lapsus$ bragged on his Telegram channel about stealing Bing and Cortana source code. Microsoft was one of the main victims of the recent Lapsus$ crime wave, which also included attacks on Okta, Nvidia, Samsung, Ubisoft and Vodafone. ®