Google issues warning for billions of Chrome users

03/29 Update below. This article was originally published on March 26

Google has issued an urgent update warning to its billions of Chrome users worldwide. Here’s everything you need to know to stay safe.

MORE FORBESGoogle confirms increase in serious attacks on Chrome – and why

Google posted the warning on its official Chrome blog, revealing that Chrome on Windows, macOS, and Linux is vulnerable to a new zero-day hack (CVE-2022-1096). Zero-day is the most dangerous form of attack because it means the vulnerability is known to hackers before Google can issue a patch. As the company admits, “Google is aware that an exploit for CVE-2022-1096 exists in the wild.” This means that every Chrome user is vulnerable.

Update 03/28: Microsoft has now confirmed that the same zero-day hack affects its Edge browser. The company has released a new update on its Security Response Center confirming that the exploit affects all Chromium-based browsers: “The vulnerability attributed to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based).” This means that other Chromium-based browsers including Amazon Silk, Brave, Opera, Samsung Internet (provided on its Galaxy smartphones), Vivaldi, and the Yandex browser are all very likely to have been affected.

Microsoft also confirms that it has released a patch for Edge based on the Chromium update that Google has already rolled out for Chrome. To get it, follow these steps:

  1. In your Microsoft Edge browser, click on the 3 dots (…) on the far right of the window
  2. Click on ‘Help and Feedback’
  3. Click on ‘About Microsoft Edge’

Microsoft says the patched version of Edge is 99.0.1150.553, so if your browser shows a lower number, you’re still vulnerable.

Google is currently limiting information about the exploit to buy time for Chrome users to upgrade. As of press time, all the company has revealed is the threat level (“high”), the area of ​​attack, and who discovered it (this was an anonymous tip):

  • High – CVE-2022-1096: Type confusion in V8. Reported by anonymous on 2022-03-23

Update 03/29: Concerns about this security vulnerability continue to grow. BeepComputer now reports that the US Cybersecurity and Infrastructure Security Agency (CISA) has order all federal agencies to immediately fix the CVE-2022-1096 exploit. CISA has also added day zero to its “catalog of known exploited vulnerabilities” and uses the hashtag #CriticalPatch. In addition to its warnings to FCEB agencies, CISA also stresses that all Chrome users in the private and public sectors should update immediately to reduce exposure to ongoing cyberattacks.

Other Chromium-based browser companies are also following Google’s lead and releasing emergency updates. The Last of Brave release notes confirm that the patched version of Chromium is available for their browser, and while the Opera and vivaldi blogs have not yet been updated to list their latest versions, I understand that both browsers are running the new secure version of Chromium.

The reality is that the software is pirated. It’s a continual game of cat and mouse between developers and hackers and the merit mostly lies in working with security specialists to discover and fix vulnerabilities preemptively and minimize the time during which an exploit zero -day is available before a patch is ready. With over 3 billion users, Chrome/Chromium is now among the most targeted software in the world and Google recognizes the number of zero-day attacks are on the riseThat said, security protocols have never been better (with some notable exceptions), although they rely on users to keep their software up to date. Don’t be the weak link.

V8 is the component of Chrome that is responsible for processing JavaScript, the engine at the heart of Chrome, and the hack tricks the browser into executing a different type of code (in this case, malicious). V8 attacks have been relatively rare in recent months, but they can be among the most dangerous, if a hacker is able to create a successful exploit.

In response, Google announced an emergency update for Chrome (99.0.4844.84) ​​”for Windows, Mac, and Linux that will be rolling out over the next few days/weeks.” To check your browser version, go to Settings > Help > About Google Chrome – this will also force Chrome to check for updates. Note: You are not protected until you restart the browser.

This is Chrome’s second zero-day hack of 2022, a relatively low number despite Google’s warning zero-day hacks are on the rise. Don’t make any changes, check your browser now.

___

Follow Gordon on Facebook

Learn more about Forbes

New Edge, Firefox and Chrome ‘100’ updates will break some websites

Google Confirms New ‘Critical’ Chrome Hack, Releases Urgent Fix

amoloans