Google Thursday released an emergency patch for Chrome 107 to address the actively exploited zero-day vulnerability CVE-2022-3723.
Google released an emergency update for the Chrome 107 to address an actively exploited zero-day vulnerability tracked as CVE-2022-3723.
The flaw has been reported by Jan Vojtěšek, Milánek, and Przemek Gmerek of Avast on October 25, 2022.
“Google is aware of reports that an exploit for CVE-2022-3723 exists in the wild,” reads the advisory published by Google. “Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.“
This is the seventh Chrome zero-day fixed by Google this year, below is the full list:
- CVE-2022-3075 (September 2) – Insufficient data validating in the Mojo collection of runtime libraries.
- CVE-2022-2856 (August 17) – Insufficient validation of untrusted input in Intents
- CVE-2022-2294 (July 4) – Heap buffer overflow in the Web Real-Time Communications (WebRTC) component
- CVE-2022-0609 – (February 14) – use after free issue that resides in the Animation component.
Google did not disclose details about the attack and did not attribute them to a specific threat actor.
At this time is is unclear if the attacks exploiting the CVE-2022-3723 flaws are part of the operation detailed by Avast and associated with the Candiru‘s surveillance activity.
(SecurityAffairs – hacking, Log4Shell)