CVE-2022-3075: 0-day Google Chrome Vulnerability

Google on Friday rolled out patches for the Chrome browser for desktops to contain an actively exploited high-severity zero-day flaw in the wild.

Tracked as CVE-2022-3075, the issue has been described as a case of insufficient data validation in Mojo. Mojo is a collection of runtime libraries providing a platform-agnostic abstraction of common IPC primitives, a message IDL format, and a bindings library with code generation for multiple target languages to facilitate convenient message passing across arbitrary inter- and intra-process boundaries.

By persuading a victim to visit a specially crafted Web site, an attacker could exploit this vulnerability to bypass security restrictions. An anonymous researcher has been credited with reporting the flaw on August 30, 2022.

“Google is aware that exploits for CVE-2022-3075 exist in the wild,” the company noted in an advisory without delving into technical specifics about how the security vulnerability was used in attacks or the threat actors that may have weaponized it.

Google has released an emergency security update to fix this vulnerability, the corresponding version number is Google Chrome 105.0.5195.102.

More technical details about the nature of the attacks are to be released in the coming weeks so as to allow a majority of the users to install the update and prevent other threat actors from creating exploits targeting the flaw.

Users of Google Chrome can go to the About page of the settings, where they can see the current version number and can automatically check the latest version. If the user deploys the online installation package, it can be updated automatically. If the user deploys the offline installation package, the user needs to manually download the new version to upgrade.