Google developers have released Chrome version 98.0.4758.102 (for Windows, Mac and Linux), which fixes a zero-day vulnerability that has already been exploited by hackers.
The issue in question (CVE-2022-0609) is a use-after-free vulnerability in the Animation component. Typically, attackers use these bugs to execute arbitrary code on computers with vulnerable versions of Chrome, as well as to escape from the sandbox.
More detailed technical information about the bug is not yet known, it is only known that the Google Threat Analysis Group (TAG) specialists discovered the vulnerability.
Unfortunately, there is no exact data on attacks using this bug either. Google traditionally explains: “Access to information about vulnerabilities and links may be limited until the majority of users install patches.”
It’s worth noting that Chrome 98.0.4758.102 also fixes six more severe and one moderate vulnerabilities that the company has been notified about by third-party researchers. The most important of these problems can be called CVE-2022-0603 – a use-after-free bug in the file manager. The researcher who reported the bug received a $15,000 bounty from Google.
Next in line are CVE-2022-0604 (Hip Buffer Overflow in Tab Groups), CVE-2022-0605 (use-after-free bug in Webstore API) and CVE-2022-0606 (use-after-free in Angle). The company paid the experts $7,000 for each of these errors.