Pointers at Glance
- Google released a channel update for Chrome to patch an actively exploited zero vulnerability.
- The issue of heap buffer overflow in the browser’s WebRTC engine could allow attackers to execute arbitrary code.
- According to the vulnerability listing from the CWE website, buffer overflows generally lead to crashes or other attacks that make the affected program unavailable, including putting the program into an infinite loop.
Google silently rolled out a standard channel update for Chrome to patch an actively exploited zero vulnerability, the fourth such flaw the vendor has had to patch in its browser product so far this year, while everyone was celebrating the 4th of July holiday in the US.
Chrome version 103 (103.0.5060.71) for Android and Version 103.0.5060.114 for Windows and Mac, outlined in separate blog posts published on Monday, fix a heap buffer overflow flaw in WebRTC, the engine that allows the browser its real-time communications capability.
The vulnerability, which was tracked as CVE-2022-2294 and reported by Jan Vojtesek from the Avast Threat Intelligence team on July 1, is described as a buffer overflow. According to the Common Weakness Enumeration (CWE) vulnerability listing, buffer overflows generally lead to crashes or other attacks that make the affected program unavailable, including putting the program into an infinite loop.
Attackers can utilize this situation by using the crash to execute arbitrary code typically outside of the scope of the program’s security policy.
Google mentions that it also patched seven other vulnerabilities with this version of Chrome. Most of those vulnerabilities received a high rating on the company’s severity scale-out, of which one received a medium rating. Google had fixed 16 other vulnerabilities throughout 2021.
Google Chrome updates are pushed out without user intervention so that most users will be protected once patches are available.
Read our latest blog: Efficient Ways to Make Your Chrome Browser Faster
