Skip to Main Content

[BruinTech] fyi - Critical vulnerability with Google Chrome and Chromium based browsers

Hello all,

We'd like to raise awareness about a serious vulnerability with Google Chrome and Chromium based browsers such as Microsoft Edge. Please see the details below.

In short, all affected users need to update and restart the browser to resolve the vulnerability.

Please contact us with any questions or requests for assistance.

Regards,

Jason Chambers - on behalf of the VMP Team
UCLA Information Security


CVE: CVE-2022-1096
Type: Undisclosed Javascript (V8) based vulnerability

https://www.forbes.com/sites/daveywinder/2022/03/26/google-confirms-emergency-security-update-for-32-billion-chrome-users-attacks-underway/?sh=18875f32aaa2

Google Issues Emergency Security Update For 3.2 Billion Chrome Users — Attacks
Underway

Google has issued an emergency security update for all Chrome users as it confirms that attackers are already exploiting a high severity zero-day vulnerability.

The emergency update to version 99.0.4844.84 of Chrome is highly unusual in that it addresses just a single security vulnerability. A fact that only goes to emphasize how serious this one is.

In a Chrome stable channel update announcement, published March 25, Google confirms it "is aware that an exploit for CVE-2022-1096 exists in the wild."

All Chrome users are therefore advised to ensure their browsers are updated as a matter of urgency.

What is CVE-2022-1096?

Not much is known, at least publicly, at this stage about CVE-2022-1096 other than it is a "Type Confusion in V8." This refers to the JavaScript engine employed by Chrome. This holding back of detail is not unusual in such cases where a vulnerability is already being exploited by attackers. Google often will not reveal technical details until such a time as the update has been able to protect most of Chrome's 3.2 billion users.

Update March 28: Microsoft has now confirmed that this vulnerability exists in
Edge, which is a Chromium-based browser. Edge has also been updated to protect
users against the in-the-wild exploit. Go to settings|about and if your browser
version is 99.0.1150.55 or higher, it is no longer vulnerable to the CVE-2022-1096 issue. Chromium powers a whole bunch of browsers, including Brave and Vivaldi, and so I'd expect a lot of security fixes to be forthcoming.

How to apply the Google Chrome security patch now

Head for the Help|About option in your Google Chrome menu, and if the update is available, it will automatically start downloading.

It may take a few days for the update to reach everyone, so be patient if you are not seeing it yet.

Also, remember to restart your browser after the update has been installed, or it will not activate, and you will still be vulnerable to attack.