Headline
Update now! Emergency fix for Google Chrome's V8 JavaScript engine zero-day flaw released
Categories: Exploits and vulnerabilities Categories: News Tags: V8
Tags: V8 JavaScript Engine
Tags: Google Chrome
Tags: Chrome
Tags: CVE-2022-4262
Tags: 108.0.5359.94
Tags: 108.0.5359.95
Tags: Chrome V8 flaw
Tags: type confusion
Google has rolled out an out-of-band patch for an actively exploited zero-day vulnerability in its V8 JavaScript engine. Make sure you’re using the latest version.
(Read more…)
The post Update now! Emergency fix for Google Chrome’s V8 JavaScript engine zero-day flaw released appeared first on Malwarebytes Labs.
On Friday, December 2, Google rolled out an out-of-band patch for an actively exploited zero-day vulnerability in its V8 JavaScript engine. The flaw could allow attackers to cause a system crash or execute potentially malicious code.
That means you’ll want to update Chrome to patch against this vulnerability as soon as you can. Do this by navigating to the “About Chrome” page on your browser’s menu.
If your Chrome version is 108.0.5359.94 (Mac and Linux) or 108.0.5359.94/.95 (Windows), then you have the latest version. If it, click Update Google Chrome.
Note: if you don’t have the update option, such as in the case below, some files may be missing from your computer, so it’s best to uninstall and reinstall Chrome.
Chrome without an update button option
Also, if you have other Chromium-based browsers you’re using, you may need to update them.
Vulnerability details
The flaw, tracked as CVE-2022-4262, has a severity rating of “High” and is a type confusion bug. Once exploited, remote attackers could exploit a memory corruption (also called heap corruption) using a specially crafted HTML page.
A type confusion bug happens when code doesn’t verify the object type passed to it, and then uses the object without type-checking. Unfortunately, this bug occurs on the V8 JavaScript engine, Google’s open-source JavaScript engine. Attacks on the V8 are not common; however, it’s considered one of the most dangerous.
CVE-2022-4262 is the 4th type confusion bug found this year and the 9th actively exploited zero-day to date.
As with any zero-day vulnerabilities Google patches, very little technical detail is provided about the vulnerability. You will also find that online pages for this vulnerability either contain incomplete details or are there as placeholders to be updated with new information in the future. The National Vulnerability Database is currently analyzing this flaw.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
Related news
Google has assigned a new CVE identifier for a critical security flaw in the libwebp image library for rendering images in the WebP format that has come under active exploitation in the wild. Tracked as CVE-2023-5129, the issue has been given the maximum severity score of 10.0 on the CVSS rating system. It has been described as an issue rooted in the Huffman coding algorithm - With a specially
Google on Friday released out-of-band updates to resolve an actively exploited zero-day flaw in its Chrome web browser, making it the first such bug to be addressed since the start of the year. Tracked as CVE-2023-2033, the high-severity vulnerability has been described as a type confusion issue in the V8 JavaScript engine. Clement Lecigne of Google's Threat Analysis Group (TAG) has been
By Habiba Rashid Google's Threat Analysis Group (TAG) labeled the spyware campaign as limited but highly targeted. This is a post from HackRead.com Read the original post: Google reveals spyware attack on Android, iOS, and Chrome
Google TAG researchers reveal two campaigns against iOS, Android, and Chrome users that demonstrate how the commercial surveillance market is thriving despite government-imposed limits.
A number of zero-day vulnerabilities that were addressed last year were exploited by commercial spyware vendors to target Android and iOS devices, Google's Threat Analysis Group (TAG) has revealed. The two distinct campaigns were both limited and highly targeted, taking advantage of the patch gap between the release of a fix and when it was actually deployed on the targeted devices. "These
Plus: Patches for Apple iOS 16, Google Chrome, Windows 10, and more.
Hello everyone! This episode will be about Microsoft Patch Tuesday for December 2022, including vulnerabilities that were added between November and December Patch Tuesdays. As usual, I use my open source Vulristics project to analyse and prioritize vulnerabilities. Alternative video link (for Russia): https://vk.com/video-149273431_456239112 But let’s start with an older vulnerability. This will be another example why […]
CISA gives agencies deadline to patch against Google Chrome bug being actively exploited in the wild.
Debian Linux Security Advisory 5295-1 - A security issue was discovered in Chromium, which could result in the execution of arbitrary code.
Search giant Google on Friday released an out-of-band security update to fix a new actively exploited zero-day flaw in its Chrome web browser. The high-severity flaw, tracked as CVE-2022-4262, concerns a type confusion bug in the V8 JavaScript engine. Clement Lecigne of Google's Threat Analysis Group (TAG) has been credited with reporting the issue on November 29, 2022. Type confusion
Type confusion in V8 in Google Chrome prior to 108.0.5359.94 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)