Google has released an unexpected update to its Chrome browser to fix a zero-day WebRTC flaw that is being actively exploited.
The culprit is CVE-2022-2294 and is a problem in WebRTC, the code that permeates browsers with real-time communications capabilities.
The details of the defect, number 1341043, are not currently detailed in the Chromium project error log and the details of the CVE were not published at the time of writing. But Google’s notification of a new version of the browser describes it as: “Buffer overflow in WebRTC. Reported by Jan Vojtesek of the Avast Threat Intelligence team on July 1, 2022.”
The solution is to install Chrome 103.0.5060.114 for Windows and Chrome 103.0.5060.71 for Android, both will appear soon.
Google says the bug is under active attack, but offers no insight into how it can be detected or defended in addition to updating Chrome. Given the nature and purpose of WebRTC, it’s probably best not to use browser-based communications tools until you can upgrade.
Chrome updates also address other flaws, namely:
- CVE-2022-2295, a type confusion in the JavaScript V8 engine used in Chrome;
- CVE-2022-2296, a bug-free use in Chrome OS Shell;
All three defects have a high severity rating.
The launch of new Chrome clippings is the fourth time in 2022 that Google needs to issue emergency solutions. Fortunately, Chrome is updated with little user intervention, so many millions of software users should be protected from these latest issues in no time. Whether they are safe in the long run is another matter.
The WebRTC default was reported on July 1, and Google’s notification of Chrome’s updated cuts to fix it is dated July 4, suggesting that people on the Chrome team lost their heads. week preparing the solution and did it at a decent speed. But bad actors can do a lot of harm in three days … ®