Google has released patches for two security flaws in Chrome, of which one was being exploited in the wild.
The zero day is tracked as CVE-2022-1364, a high severity flaw reported to the Chrome team by Clément Lecigne of Google’s Threat Analysis Group on.
Google hasn’t revealed any details about it in the blogpost besides that it was a type confusion in Chrome’s V8 JavaScript engine.
“Google is aware that an exploit for CVE-2022-1364 exists in the wild,” the company says.
The fixes are contained in the Chrome stable channel release 100.0.4896.127 for Windows, Mac and Linux. It will roll out over the coming days or weeks, according to Google.
The US government’s Cybersecurity and Infrastructure Agency advised users to update their software and said “This version addresses a vulnerability that an attacker could exploit to take control of an affected system. This vulnerability has been detected in exploits in the wild.”
Google fixed 14 Chrome zero-day flaws in 2021, up from seven in 2020. Google argued that the uptick in Chrome zero-days might be alarming for some, but it may also indicate the company is getting better at catching and fixing them. One reason for hackers focusing on Chrome is because of the demise of Adobe Flash Player, previously a big target.
This February, Google also patched the Chrome zero day CVE-2022-0609 and in March it patched another bug, CVE-2022-1096 that was being exploited in the wild.
Google linked the use of CVE-2022-0609 to multiple hacking groups associated with North Korean state-based hacking group Lazarus. Google TAG researchers said they believed different North Korean hacking groups were sharing the same software supply chain, so used the same exploit kit. The group had targeted US organizations in news media, tech, cryptocurrency and fintech sectors, according to Google.