On 25 March 2022, Google released Chrome 99.0.4844.84 for Windows, Mac, and Linux to address a flaw that is being actively exploited by threat actors. We recommend updating to the latest browser version as soon as possible.
Details
The latest Chrome version fixes a high-severity vulnerability in Chrome V8 that is being leveraged by threat actors. V8 is an open-source JavaScript engine developed by the Chromium Project for Google Chrome and other Chromium-based web browsers, including Brave, Amazon Silk, Opera, Vivaldi and Microsoft Edge. V8 is also integrated into various independent projects; such as Couchbase database server, Node.js runtime environment, and Electron desktop application framework. This flaw was also fixed in Microsoft Edge and Brave, however other V8-based browsers may remain vulnerable.
The vulnerability, noted in CVE-2022-1096, received a high-severity rating. It is known as a type confusion weakness. A threat actor could leverage this flaw to perform out-of-bounds memory access, inject and execute arbitrary code.
Browser versions vulnerable to the aforementioned flaw could be exploited, hence increasing your network’s threat surface. The latest versions of Chrome, Edge and Brave are being released worldwide and can be deployed through automatic or manual updates.
Recommendations
We recommend that Windows, Mac, and Linux desktop users of Chrome and Chromium-based browsers manually upgrade now to the latest version by going to Settings -> Help -> About.
The web browser will then automatically check for the new update and install it if available.
We recommend notifying users of this risk and requesting that they restart their browser to ensure the needed security patches are applied.
If software is managed centrally within your organization, we recommend updating this software as soon as possible.
References
Chrome Update
Microsoft Edge Update
Brave Update
