Google released a new security update for its Chrome web browser for desktop systems and Android. The update fixes a security issue that is exploited in the wild, according to Google.
The issue affects Chrome for Windows, Linux, Mac and Android, according to Google.
The security issue affects Chromium, the source that Chrome and other browsers, such as Microsoft Edge, Brave or Opera use. As such, it is not Chrome-specific, but an issue that affects all these browsers.
Chrome users should update the web browser immediately to resolve the issue.
How to install the Chrome security update
Google Chrome installs updates automatically by default, but this does not happen in real-time. Desktop versions of Chrome support manual updates, and this is how it is done:
- Open the Chrome web browser on the computer.
- Load chrome://settings/help in the browser’s address bar, or, select Menu > Help > About Google Chrome if you prefer this way.
- Chrome displays the installed version and runs a check for updates. Any new update is downloaded and installed at this point.
- A restart is required to complete the process.
One of the following Chrome version needs to be listed on the Help page after the update:
- Google Chrome on Mac or Linux: 107.0.5304.121
- Chrome on Windows: 107.0.5304.121 or 107.0.5304.122
- Chrome Extended Stable channel: 106.0.5249.199
There is no option to install a Chrome update for Android using the method described above.
The Chrome vulnerability
Google confirmed that the update addresses a single security issue in the web browser. The official release notes page reveals that it is a heap buffer overflow issue in the GPU. Google does not provide detailed information about vulnerabilities.
Without going into too many details, heap buffer overflow issues may lead to the execution of arbitrary code. Google confirms that the issue is exploited in the wild, which means that attacks take place at the time of writing.
The CVE-2022-4135 record lists additional information on the issue at hand:
“Heap buffer overflow in GPU in Google Chrome prior to 107.0.5304.121 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.”
The issue affects all old versions of the Chrome browser, both on the Stable and Extended Stable channel. The description highlights that the attack is web-based, using a specially crafted HTML page to exploit the issue. In other words: all it takes is to visit a webpage in Chrome to run the risk of being attacked successfully.
Google fixed 10 security issues in Chrome 107, which it released two weeks ago.
Other Chromium-based browsers
The security issue affects all Chromium-based browsers; this includes Microsoft Edge, Brave, Vivaldi and Opera.
Only Brave Software, maker of the Brave Browser, released a security update for the browser so far. The company confirmed the release of the security update on its Twitter account.
Brave users may load brave://settings/help or select Brave Icon > Help > About Brave to display the current version. New updates are downloaded and installed automatically when the page is opened.