UPDATED 16:43 EST / APRIL 15 2022

SECURITY

Google releases patch for high-severity Chrome vulnerability

Google LLC said Thursday that it’s releasing a security patch to fix a high-severity vulnerability in its Chrome browser.

The vulnerability is known as CVE-2022-1364. Google is “aware that an exploit for CVE-2022-1364 exists in the wild,” the company stated. 

Google’s patch for the vulnerability is set to roll out in the coming days and weeks. In Thursday’s announcement of the patch, the search giant shared few technical details about the vulnerability, noting that “access to bug details and links may be kept restricted until a majority of users are updated with a fix.” Chrome has about 3 billion users worldwide.

Google did disclose that the vulnerability affects the browser’s V8 JavaScript engine. The engine is responsible for processing the JavaScript code in web pages.

Before a computer can load a web page, the web page must be turned into a form that the computer’s central processing unit can run. That’s the task the V8 engine performs: It compiles websites’ JavaScript code into machine code, the low-level language that a CPU uses to carry out computations. V8 also makes optimizations to speed up loading times. 

V8 is included in not only Chrome but also Chromium, an open-source project that contains much of the code for Google’s popular browser. That’s significant because Chromium is the basis of several other browsers including Microsoft Edge. Google didn’t specify in its Thursday announcement of the vulnerability whether Microsoft Edge may be affected as well.

The search giant described the vulnerability as a type confusion flaw. In an application such as a browser, there are many components that ingest data and then use it to carry out computations. Often an application component can’t ingest any type of data, but rather focuses on processing one specific type of input. Type confusion vulnerabilities such as the flaw Google patched in Chrome this week emerge when an application component receives input that it was not designed to process.

A type configuration vulnerability in an application can potentially enable hackers to launch cyberattacks. The severity of the newly detailed Chrome vulnerability is rated “High,” the second-highest severity grade that a vulnerability can receive after “Critical.”

CVE-2022-1364 is the second type of confusion flaw affecting Chrome’s V8 engine that Google has patched in the past month. Google detailed the previous vulnerability on March 25. That vulnerability also affected Chromium, the open-source project on which Microsoft Edge is based, which led Microsoft Corp. to release a patch for its browser.

Image: Google

A message from John Furrier, co-founder of SiliconANGLE:

Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.

Join Our Community 

Click here to join the free and open Startup Showcase event.

“TheCUBE is part of re:Invent, you know, you guys really are a part of the event and we really appreciate your coming here and I know people appreciate the content you create as well” – Andy Jassy

We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.

Click here to join the free and open Startup Showcase event.