Google unveiled new software program patches on Thursday to tackle a new zero-working day vulnerability in its Chrome web browser.
Writing in a security bulletin, the tech huge explained the significant-severity vulnerability (tracked CVE-2022-4135) as a heap buffer overflow in the graphics processing device (GPU) ingredient.
Google attributed the discovery of the vulnerability to Clement Lecigne from its Danger Investigation Team (TAG), expressing the researcher manufactured the discovery on November 24.
The new vulnerability marks the eighth zero-day set by Google for the desktop model of the Chrome web browser.
The company is recommending users upgrade to model 107..5304.121/.122 for Windows and 107..5304.121 for Mac and Linux. Chromium-based browsers like Microsoft Edge, Brave, Opera and Vivaldi ought to also be updated to implement the fixes as and when they develop into readily available.
Google is also now withholding particulars about the vulnerability to protect against increasing its malicious exploitation.
Although the total scope of the exploit is at this time not known, this kind of vulnerability can typically enable danger actors to corrupt data and remotely execute code on a victim’s device.
In actuality, according to the US government’s National Institute of Expectations and Technology (NIST) company, CVE-2022-4135 makes it possible for a “remote attacker who experienced compromised the renderer method to perhaps conduct a sandbox escape through a crafted HTML website page.”
Patches for the vulnerability must be used routinely. If that is not the situation simply because of program configurations, end users can enhance their Chrome browser by clicking on the 3 vertical dots in the upper-suitable corner and navigating to ‘Help’ and then ‘About Google Chrome.’
The browser will then automatically examine for and obtain the most up-to-date develop (107..5304.121) and prompt consumers to restart their browser.
Some of the other zero-working day Chrome vulnerabilities found by Google this yr incorporate the CVE-2022-2294, which the company patched in July.
Some parts of this write-up are sourced from: