In brief: This week, Google released an update for the Chrome web browser that doesn’t include any new features, as it’s entirely focused on fixing important security vulnerabilities, including one zero-day flaw that malicious actors are currently targeting in malware campaigns.
Google’s latest stable channel update for the desktop version of its Chrome browser is one of the most important in several months. According to the official changelog, the newest release contains fixes for no less than 11 security bugs, one of which has been actively exploited in the wild.
Most of us use the popular web browser daily and trust it to be secure enough for most purposes, so you should update your installation of Chrome as soon as possible. The vulnerability targeted in the wild has been assigned CVE-2022-2856, and it’s so severe that Google will keep the details about it a secret until a majority of users receive the fix. Engineers may even go as far as holding disclosure until after any other Chromium-based projects are safe from the exploit.
The only thing we know about the nature of CVE-2020-2856 is that it fixes an issue with “insufficient validation of untrusted input in Intents.” Intents are used to process user input in Google Chrome, so the bug would allow a malicious actor to input a specially crafted message — such as a comment on a web page — that isn’t expected by the app and is received by other parts of it. This can result in altered control flow and arbitrary code execution.
The good news is that updating Google Chrome is as easy as going to the About section of the settings menu. Once you’re there, the system will check for updates, which are usually installed in a matter of seconds and require a browser restart to complete.
So far, Google has patched five zero-day bugs this year, and one of them has been linked to Israeli spyware firm Candiru. Back in March Google noted a significant increase in the number of Chrome vulnerabilities that have been exploited in the wild. The company observed 14 of these in 2021, up from eight in 2020 and just two in 2019.
In other security news, Apple just patched two actively exploited vulnerabilities affecting iPhones, iPads, and Macs. As with the latest Chrome update, you should install these as soon as possible.