Although major updates for Google Chrome and Microsoft Edge arrive after every four weeks, minor revisions to fix bugs, performance issues, and security vulnerabilities are released outside of this window too. This time, both Edge and Chrome have received an emergency patch to plug a security hole present in Chromium.
The issue in question is tagged as CVE-2022-1096, but the interesting thing is that very little about it has been publicly revealed as of now. The Microsoft Security Response Center (MSRC) has simply described it as "Type Confusion in V8".
For those unaware, V8 is the JavaScript engine utilized in Chromium. The company has further highlighted that the exploit is being utilized in the wild and Google is aware of it. As such, the fix has been deployed in Chromium 99.0.4844.84 which has been ingested in Edge 99.0.1150.55. You can click on the three-dot button on the top-right of Edge and navigate to Help and feedback > About Microsoft Edge to trigger the update manually.
Google doesn't describe the security hole in too much detail either but there are a couple of interesting tidbits of information available. The issue has been tagged with a severity level of "High" and was in fact reported on March 23 by an unnamed person. Since it's in the wild and is apparently a rather severe vulnerability, it makes sense that the firm has patched Chromium quite quickly and immediately pushed out the fix for Chrome as well.
The update is available for Chrome via version 99.0.4844.84 on Windows, Mac, and Linux. You can head over to the three-dot button on the top-right of Chrome and navigate to Help > About Google Chrome to trigger the update.
Given the hush-hush surrounding the vulnerability, it's likely that the issue is easily exploitable on older versions of Chromium, so Google wants the patch to be generally available for everyone before it releases more details about the issue in due course.
7 Comments - Add comment