Google issues Chrome update fixing mysterious zero-day exploit

Earlier this month, we learned about the zero-day Chrome exploit that state-sponsored hackers based in North Korea were able to access for just over a month before a patch was issued in mid-February. In that case, the hackers were able to fool the unwary with compromised real websites and sites they’d spoofed by securing similar domain names. Now, for the second time that we know of in 2022, there’s another Chrome zero-day and Google is rolling out yet another fix.

A new stable channel desktop Chrome update for Windows, Mac and Linux became available Friday. In a Chrome Releases Blog post (found via Bleeping Computer) Google explains that there is one security update in the release, for zero-day exploit CVE-2022-1096, first reported to the company by an anonymous tip on March 23. The zero-day is a weakness in Chrome’s JavaScript engine that can be used by hackers to inject their code into your browser. It’s exactly the kind of thing that malicious actors love to use against their targets. Google won’t provide much more information other than admitting there have already been attacks leveraging this zero-day weakness.

The company explained keeping some information away from the public as a safety measure, stating that full details on how the exploit worked won’t be made public until most users have the fix. Fortunately, this time Google was apparently able to issue a patch before the exploit became widely known. Users should update to Chrome version 99.0.4844.84 as soon as possible.