Google has released Chrome 105.0.5195.102 for Windows, Mac and Linux users to address a single very serious security flaw, the sixth Chrome zero-day exploited in attacks patched this year.
“Google is aware of reports that an exploit for CVE-2022-3075 exists in the wild,” the company said in a security advisory published Friday.
This new version is rolling out in the Stable Desktop channel, with Google saying it will reach the entire user base in a few days or weeks.
It was immediately available when BleepingComputer checked for new updates by going to Chrome menu > Help > About Google Chrome.
The web browser also automatically checks for new updates and installs them automatically after the next launch.
No operating data available
The zero-day bug fixed today (CVE-2022-3075) is a very serious vulnerability caused by insufficient data validation in Mojo, a collection of runtime libraries that facilitates message passing across arbitrary inter- and intra-process boundaries.
Google says this vulnerability was found by a security researcher who chose to report it anonymously.
While the browser vendor says the zero-day has been exploited in the wild, it has not yet shared any technical details or information about these incidents.
“Access to bug details and links may be restricted until a majority of users are updated with a fix,” added Google.
“We will also maintain restrictions if the bug exists in a third-party library that other projects similarly depend on, but has not yet been fixed.”
By postponing the release of more information about these attacks, Google is aiming to give Chrome users enough time to update and prevent exploitation attempts until more threat actors create their own exploits to deploy in attacks.
Sixth Chrome Zero-Day Fixed in 2022
With this release, Google has issued security updates to address the sixth Chrome zero-day patch since the beginning of the year.
The previous five zero-day vulnerabilities found and fixed in 2022 are:
As the Google Threat Analysis Group (TAG) revealed in February, weeks before the February patch, CVE-2022-0609 was exploited by North Korean-backed state hackers. In addition, the first signs of exploitation were found in early January.
The bug was exploited in campaigns pushing malware through phishing emails using fake lures and compromised websites hosting hidden iframes that operate exploit kits.
Since the zero-day bug patched today is known to have also been exploited by attackers in the wild, it is highly recommended to upgrade the Google Chrome web browser as soon as possible.