Just days after Google updated the Chrome browser to patch a total of 24 vulnerabilities, another security update has landed. This one is even more important as it concerns a zero-day vulnerability that, Google has confirmed, is already being exploited by attackers.
The importance of this update cannot be stressed enough: the zero-day was only disclosed to Google on August 30, and it has prioritized an update to address this single security issue. This emergency update, which takes Chrome to version 105.0.5195.102 across Windows, Mac, and Linux platforms, is highly unusual. Especially coming so quickly on the tails of a full security update fixing other vulnerabilities.
What is CVE-2022-3075?
The vulnerability, CVE-2022-3075, is related to an insufficient data validation issue within the runtime libraries known as Mojo. This is described as “providing a platform-agnostic abstraction of common IPC primitives, a message IDL format, and a bindings library with code generation for multiple target languages to facilitate convenient message passing across arbitrary inter- and intra-process boundaries.” You can find more technical detail about Mojo in the Chromium source documentation. That, however, is as much as we know so far. Google is, as is usual with such vulnerabilities that are already being exploited by attackers, not releasing any further information until such a time that most Chrome and Chromium-based browser users have had the update rolled out to them.
How to apply the emergency Google Chrome security update
Chrome will update automatically, downloading and installing the fix without user intervention. However, the patch needs to be activated by way of a browser restart to actually start working.
You can check that you have the latest version of Chrome and kickstart the process if it hasn’t been updated yet, by heading to the Help|About option in your Google Chrome menu.
