Google on Thursday released an emergency update for Chrome 107 to patch an actively exploited zero-day vulnerability.

The flaw, tracked as CVE-2022-3723, has been described as a type confusion issue affecting the V8 JavaScript engine.

“Google is aware of reports that an exploit for CVE-2022-3723 exists in the wild,” Google said.

The internet giant was informed about the zero-day vulnerability by cybersecurity firm Avast on October 25.

This is the seventh Chrome zero-day patched by Google this year and the second reported by Avast.

The previous exploited vulnerability discovered by Avast, CVE-2022-2294, was patched by Google in early July with a Chrome 103 update. A few weeks later, Avast revealed that it had linked exploitation of the security hole to Candiru, an Israeli spyware company.

CVE-2022-2294 had been used in targeted attacks aimed at entities in the Middle East, including journalists in Lebanon, with other targets spotted in Turkey, Yemen and Palestine. The Chrome zero-day was only exploited against high-value targets, to which the attackers delivered a sophisticated information stealer malware named DevilsTongue.

It’s worth noting that CVE-2022-2294 affects WebRTC, a component present in other Chromium-based browsers as well, including Edge and Safari. Microsoft and Apple both released patches at the time.

It’s unclear if the attacks exploiting the new CVE-2022-3723 are also related to the Candiru-linked operation. SecurityWeek has reached out to Avast and will share updates if more information comes to light.

By Eduard Kovacs on Fri, 28 Oct 2022 09:29:58 +0000
Original link