Google releases emergency patch for 3.2 billion Chrome users

Google Chrome version 99.0.4844.84 for Windows, Mac and Linux users patched a critical zero-day vulnerability being exploited in the real world. Google releases this version via the Stable Desktop channel globally, and it may take a few weeks to reach everyone.

To check if you’ve received the new update, click the three dots in the top right, select Help > About Google Chrome. You will find out which version of Chrome you are using here. The browser will automatically check for new and installed updates.

Vulnerability CVE-2022-1096 exploits a weakness in Chrome’s JavaScript 8 engine. Discovered and reported by an anonymous security researcher, the details of the vulnerability are kept secret until “most users have updated the patch”.

Google is very tight-lipped about the vulnerability and only reports detection of attacks that exploit it. The company emphasizes that users can still be attacked even after updating the browser if this vulnerability persists in third-party libraries of other projects.

In addition to the vulnerability causing the browser to crash because of reading and writing memory outside the cache limit, an attacker could deploy binary code. According to Bleeping Computer, this is the second zero-day vulnerability in 2022 that Google has addressed. The first vulnerability (CVE-2022-0609) was patched last month. It is used by two different groups of hackers in phishing campaigns, through fake job offers and malicious websites.