Google published an emergency patch for a critical zero-day vulnerability in Chrome Windows, Mac and Linux.

Google confirmed the existence of a type confusion vulnerability in Google Chrome. Type confusion vulnerabilities work as follows. First, an application allocates an object in a certain category — ‘pears’, for example. In a later stage, the application attempts to allocate the object with a different category — let’s say ‘apples’. The application hesitates and stops. Sometimes, that’s all there’s to it. Most programming languages have an emergency brake. Other languages continue to run, including C and C++. Hackers can abuse type confusion for unauthorised access to a system’s memory.

The latest Google Chrome update fixes a type confusion vulnerability in Chrome. Version 100.0.4896.127 is automatically dispatched to Windows, Mac and Linux. Google states that it may take several days to weeks before the patch reaches every user. The latter explains the scant details. There is no evidence that the vulnerability has been abused in practice. Google hopes to keep it that way. Extensive details can unintentionally serve as a manual for cybercriminals.

Quick fix for CVE-2022-1364

You don’t have to wait for the automatic update. Manual patching is a matter of minutes. Open Chrome’s ‘Settings’ from the drop-down menu at the top right corner of the browser. Click on ‘About Chrome’ at the bottom of the left-hand bar. You will see the version of your browser. Most likely, the browser has already been updated. If not, click on the download button to manually fetch the most recent version.

Threat hunting

The vulnerability was found by the Google Threat Analysis Group, Google’s internal security branch. The department hunts for vulnerabilities using open source software tools, including AddressSanitizerMemorySanitizerUndefinedBehaviorSanitizerControl Flow IntegritylibFuzzer and AFL.

Anyone can participate. Google invites users to find and report vulnerabilities. Golden tips are rewarded with money. In 2021, Google paid out 3.3 million euros to 115 independent security researchers. Together they found 333 vulnerabilities in Google Chrome.