Google has fixed an actively attacked zero-day vulnerability in Chrome for the seventh time this year. Previously, updates for such vulnerabilities appeared in February, March, April, July, August, and September. The latest zero-day leak, designated CVE-2022-3723, is in V8.
This is the JavaScript engine that Chrome and other browsers use to run JavaScript, and in which numerous other zero-day vulnerabilities have been found in the past year. The impact of the vulnerability has been assessed as "high". These are vulnerabilities that could allow an attacker to run code within the context of the browser in the worst case scenario. It is then possible, for example, to read or modify data from other websites and thus steal sensitive information from users. Vulnerabilities to escape from the Chrome sandbox are also included.
Security vulnerabilities labeled "high" are not enough on their own to take over a system. This would require a second vulnerability, for example in the underlying operating system. Google does not provide details about the targets of the observed attacks and how exactly they take place. The tech company was briefed on the issue on October 25 by researchers at antivirus company Avast.
Google Chrome 107.0.5304.87/88 is available for macOS, Linux, and Windows. Updating will happen automatically on most systems. However, this can take up to seven days in the case of actively attacked vulnerabilities. Users who want to receive the update immediately will have to perform a manual check. For users of Microsoft Edge, which, like Chrome, is based on Google's Chromium browser, no update is available yet.