谷歌为Windows,Mac和Linux发布了版本100.0.4896.127版本,来修复一个被活跃用于攻击的重要零日漏洞。
Google has released Chrome 100.0.4896.127 for Windows, Mac, and Linux, to fix a high-severity zero-day vulnerability actively used by threat actors in attacks.
“谷歌知道存在着利用CVE-2022-1364漏洞的情况,”谷歌在今天发布的一个安全建议里说。
谷歌称这个更新将在接下来几周里发出,用户们现在可以进入Chrome菜单>帮助>关于Google Chrome来立即获取更新。
While Google states that this Chrome update will roll out in the next few weeks, users can receive it immediately by going into the Chrome menu > Help > About Google Chrome.
在您下次关闭并重新启动Chrome的时候,它也会自动检查更新并安装。
The browser will also automatically check for new updates and install them the next time you close and relaunch Google Chrome.
由于这个漏洞被活跃的运用于攻击中,我们强烈建议您手动检查更新并重启浏览器来应用更新。
As this bug is actively exploited in attacks, it is strongly advised that you perform a manual check for new updates and relaunch the browser to apply them.
公开的细节很少
Few details disclosed
今天修复的零日漏洞被称为CVE-2022-1364,是一个Chrome V8 JavaScript引擎中的高重要性的类型混淆漏洞。
The zero-day bug fixed today is tracked as CVE-2022-1364 and is a high severity type confusion weakness in the Chrome V8 JavaScript engine.
这种混淆一般会导致浏览器在成功通过读或写缓冲区边界外的内存被入侵后崩溃,攻击者也可以用它们来执行任意代码。
While type confusion flaws generally lead to browser crashes following successful exploitation by reading or writing memory out of buffer bounds, attackers can also exploit them to execute arbitrary code.
这个漏洞是由来自谷歌的威胁分析小组的Clément Lecigne发现的,并在昨天被报告给了谷歌的Chrome团队。
This vulnerability was discovered by Clément Lecigne from Google’s Threat Analysis Group who reported it to the Google Chrome team yesterday.
虽然谷歌说自己已经检测到了利用这个零日漏洞的攻击,其并没有提供有关攻击如何实施的更多细节。
While Google said they have detected attacks exploiting this zero-day, it did not provide further details regarding how these attacks are conducted.
“在大部分用户升级之前,有关漏洞的更多信息和连接将被限制访问,”谷歌说。
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Google added.
这是此次更新里透露的唯一一个更新,说明Chrome 100.0.4896.127是为了修复这个问题的紧急更新。
This is the only vulnerability disclosed in this update, indicating that Chrome 100.0.4896.127 was pushed out as an emergency update to resolve this issue.
这是Chrome在今年发现的第三个漏洞
Third Chome zero-day fixed this year
随着此次更新,谷歌已经在2022年初发现了三个零日漏洞了。
With this update, Google has addressed the third Chrome zero-day since the start of 2022.
之前的两个分别如下:
The previous two vulnerabilities found in 2022 are listed below.
CVE-2022-1096(三月25日)
CVE-2022-0609(二月14日)
由于这个零日漏洞已被发现用于攻击,我们强烈建议您尽早更新Chrome。
As this zero-day is known to be used in attacks, it is strongly advised to update Google Chrome as soon as possible.
原文:Google Chrome emergency update fixes zero-day used in attacks (bleepingcomputer.com)
Comments