Please report any level of incident, no matter how small. The Information
Security office will evaluate the report and provide a full investigation if appropriate.
Another Chrome Zero-Day flaw: CVE-2022-1096
Date
Another Zero-Day flaw in the Chrome web browser for Windows, Macintosh, and Linux computers and Microsoft's Chromium-based Edge browser.
A zero-day flaw has been found in the Chrome web browser used on Windows, Macintosh, and Linux computers. The flaw (CVE-2022-1096) is a high severity flaw on the CVSS vulnerability-rating scale. It is a type confusion weakness in the Chrome V8 JavaScript engine reported by an anonymous security researcher.
Google has released a fix to address this zero-day vulnerability (version 99.0.4844.84). Shortly after Google released Chrome 99.0.4844.84, Microsoft announced that it has updated its Chromium-based Edge browser to version 99.0.1150.55, to resolve CVE-2022-1096.
You can checked for new updates in Chrome by going into Chrome menu > Help > About Google Chrome. Most Chrome and Edge browser will auto-updated AND the update requires the browser to be restarted. Considering the disclosed vulnerability, you should update your Chrome browser to the latest version (at least 99.0.4844.84) or Microsoft Edge browser to the latest version (at least 99.0.1150.55) as soon as possible. These web browser will also auto-check for new updates and automatically install them after the next re-start or launch.
Double-check your browser is up-to-date
Chrome and Edge browsers will in many cases update to its newest version automatically.
However, we recommend you double-check if the update has been applied.
In Chrome, click on Settings then About Chrome
If an update is available, Chrome will show that here and then start the download process. When it's completed, it will ask to relaunch the browser to complete the update.
If the browser is up-to-date, it will say "Google Chrome is up to date" and list the version number. Make sure it's at least 99.0.4844.84
Additional Details
With this update, Google addressed the second Chrome zero-day since the start of 2022, the other one (tracked as CVE-2022-0609) patched last month.
(References: https://www.bleepingcomputer.com/news/security/emergency-google-chrome-update-fixes-zero-day-used-in-attacks; https://www.securityweek.com/google-issues-emergency-fix-chrome-zero-day; https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_25.html )
Please see the Chrome Security Page and the Chrome Releases webpages for more information.