Google fights the actively exploited zero-day flaw with Chrome updates

Google patches the new Chrome zero-day flaw that was already exploited in attacks

The Chrome update patches fourth zero-day flaw this year

Google pushes the security update to address the high-severity vulnerability in the Chrome web browser. The bug has been exploited in the wild.^[1] The flaw tracked as CVE-2022-2294 is related to the heap overflow flaw in the WebRTC component that provides real-time audio and video communication capabilities for browsers without the requirement to install plugins or any native applications.^[2]

Hep buffer overflows also can be named overrun air heaps smashing. These occur when data is overwritten in the heap part of the memory. The issue can lead to arbitrary code execution^[3] and that often is used to subvert the other security service. The issue is also impacting the Android version of Chrome.

The Chrome 103.0.5060.114 for Windows users is rolling out worldwide in the Stable Desktop channel, and Google says that it is a matter of days or weeks until the update reaches the entire userbase. The upgrade is available when you check for updates via Help and About Google Chrome settings on the browser.

Critical zero-day vulnerability consequences

This update is patching the particular zero-day, but not the first or last of this year. Since the start of the year, Chrome has reported three other zero-day flaws on the web browser. CVE-2022-0609 – use-after-free in Animation; CVE-2022-1096 and CVE-2022-1364 – type confusion in v8 flaws.

Details on the particular zero-day flaw exploitation and information about the flaw and specifics about these malicious campaigns have not been revealed to prevent the usage of the exploits in the wild. However, this bug fixed with the recent upgrade is a high-severity vulnerability^[4] that can lead to program crashes and arbitrary code execution or even bypass security solutions.

People should update and prevent exploitation attempts until more details get revealed since this is the best solution at the moment. Google says this zero-day vulnerability was exploited in the wild, but no details get to be shared with people or the public:

Access to bug details and links may be kept restricted until a majority of users are updated with a fix

Google takes measures to avoid women's privacy issues

Google recently closed the data loophole amid privacy fears over the abortion ruling. The company now closes the option of companies to monitor and sell sensitive personal data from Android smartphones. The effort is welcomed by privacy campaigners in light of the US Supreme Court's decision to end the women's right to abortion.^[5]

Developers had the ability to see which applications are installed on phones, and now it gets restricted. Google also limits the risk that smartphone data could be used to police new restrictions. Location history on phones that have been close to a sensitive medical location like an abortion clinic will be automatically erased.

These changes are made amid growing fears that mobile applications can be weaponized by US states to police new abortion restrictions in the country. Companies have harvested and sold information on the open market, including lists of Android users that use apps related to period tracking and family planning.

Many researchers have already called for women to delete such applications related to period-tracking and pregnancy planning to avoid being tracked or penalized for considering abortion options. Google announced in March that the feature allowing developers to see what apps are installed or deleted on the person's phone would be restricted. The ned deadline is July 12.