03/28 Update below. This post was originally published on March 26
Google has issued an urgent upgrade warning to its billions of Chrome users around the world. Here is everything you need to know to stay safe.
A new zero-day high threat level hack has been found in Google Chrome
LIGHTROCKET VIA GETTY IMAGES
Google issued the warning on its official Chrome blog, revealing that Chrome on Windows, macOS and Linux is vulnerable to a new ‘zero-day’ hack (CVE-2022-1096). Zero-day is the most dangerous form of attack because it means the vulnerability is known to hackers before Google could issue a fix. As the company admits, “Google is aware that an exploit for CVE-2022-1096 exists in the wild.” This means every Chrome user is vulnerable.
03/28 Update: Microsoft has now confirmed that the same zero-day hack affects its Edge browser. The company published a new update on its Security Response Center confirming that the exploit impacts all Chromium-based browsers: “The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based).” This means that other Chromium-based browsers, including Amazon Silk, Brave, Opera, Samsung Internet (bundled on its Galaxy smartphones), Vivaldi and Yandex browser are all highly likely to have been affected.
Microsoft also confirms that it has released a fix for Edge based on the Chromium update that Google already launched for Chrome. To get it, follow these steps:
- In your Microsoft Edge browser, click on the 3 dots (…) on the very right-hand side of the window
- Click on ‘Help and Feedback’
- Click on ‘About Microsoft Edge’
MORE FOR YOU
Microsoft states that the patched version of Edge is 99.0.1150.553, so if your browser is showing a lower number then you are still vulnerable.
Google is currently restricting information about the exploit to buy time for Chrome users to upgrade. At the time of publication, all the company has revealed is the threat level (“High”), the area of attack and who discovered it (it was an anonymous tip-off):
- High – CVE-2022-1096: Type Confusion in V8. Reported by anonymous on 2022-03-23
V8 is Chrome’s component that’s responsible for processing JavaScript, the engine at the heart of Chrome, and the hack tricks the browser into running a different type of (in this case, malicious) code. V8 attacks have been relatively rare in recent months but they can be among the most dangerous, if a hacker is able to create a successful exploit.
After updating, Chrome must be restarted before you are safe
Gordon Kelly
In response, Google has announced an emergency update for Chrome (99.0.4844.84) “for Windows, Mac and Linux which will roll out over the coming days/weeks”. To check your browser version, navigate to Settings > Help > About Google Chrome — this will also force Chrome to check for updates. Note: you are not protected until you restart the browser.
This is Chrome’s second zero-day hack in 2022, a relatively low number despite Google warning zero-day hacks are rising. Take no changes, check your browser right now.
___
Follow Gordon on Facebook
More On Forbes
New Edge, Firefox, Chrome ‘100’ Updates Will Break Some Websites
Google Confirms ‘Critical’ New Chrome Hack, Issues Urgent Fix