That’s what’s known in cybercrime slang as a drive-by install. Loosely speaking, that means it’s almost certain that merely visiting and viewing a booby-trapped website – something that’s not supposed to lead you into harm’s way on its own – could be enough to launch rogue code and implant malware on your device, without any popups or other download warnings. This Chrome update means that you’re now looking for a version number of 1.87 or later.Ĭonfusingly, that’s the version number to expect on Mac or Linux, while Windows users may get 1.87 or 1.88, and, no, we don’t know why there are two different numbers there.įor what it’s worth, the cause of this security hole was described as “type confusion in V8”, which is jargon for “there was an exploitable bug in the JavaScript engine that could be triggered by untrusted code and untrusted data that came in apparently innocently from outside”.
(Apple also regularly uses a similarly disengaged flavour of OMG-everybody-there’s-an-0-day notification, using words to the effect that it “is aware of a report that issue may have been actively exploited”.) Google is aware of reports that an exploit for CVE-2022-3723 exists in the wild.
Google’s response was to push out another update as soon as it could: a one-bug fix dealing with CVE-2022-3723, described with Google’s customary we-can-neither-confirm-nor-deny legalism saying:
…only to receive a vulnerability report from researchers at cybersecurity company Avast on the very same day. Google pushed out a bunch of security fixes for the Chrome and Chromium browser code earlier this week…
0 kommentar(er)
