Google has released an unexpected update to its Chrome browser to fix a WebRTC zero-day flaw that is being actively exploited.
The culprit is CVE-2022-2294, and is a problem in WebRTC – the code that imbues browsers with real-time communication capabilities.
Details of the flaw, number 1341043, are currently not detailed in the Chromium Project buglog, and CVE details have not been released at the time of writing. But Google’s notification of a new browser version describes it as: “Buffer overflow in WebRTC. Reported by Jan Vojtesek of the Avast Threat Intelligence team on 01/07/2022.”
The patch installs Chrome 103.0.5060.114 for Windows and Chrome 103.0.5060.71 for Android, which will appear soon.
Google says the flaw is under active attack, but offers no insight into how one might detect it or defend against it other than by updating Chrome. Given the nature and purpose of WebRTC, it’s probably best not to use browser-based communication tools until you can update.
Chrome updates also fix other flaws, namely:
- CVE-2022-2296, use after free error in Chrome OS Shell;
The three faults are classified as high severity.
The release of new versions of Chrome is the fourth time in 2022 that Google has needed to release emergency patches. Fortunately, Chrome updates with little user intervention, so several million users of the software should be protected from these latest issues in no time. Whether they are safe in the long term is another question.
The WebRTC flaw was reported on July 1, and Google’s notification about Chrome updates to fix it is dated July 4, suggesting Chrome team members wasted a weekend preparing for the fix and did it with decent speed. But bad actors can do a lot of stupid things in three days… ®