Google has released an update for Chrome on Windows, Linux and macOS patching a high-severity vulnerability, CVE-2022-307, caused by insufficient data validation in Mojo, a collection of libraries used by Chromium. The patch, version 105.0.5195.102, will be rolled out to users in the coming days and weeks, and all users are advised to upgrade to the latest version as soon as possible.
While Google notes that it’s aware of exploits around the vulnerability in the wild, it hasn’t given out the exact details of how the patch works and what bugs it’s fixing, choosing to withhold that information until a significant number of Chrome users are on the latest update. Even the CVE page for the vulnerability has been reserved by Google to be announced later.
The vulnerability itself was reported to Google by an anonymous security researcher on August 30, whose bug bounty is yet to be determined.
As for Mojo, it’s a set of cross-platform runtime libraries providing IPC primitives, a message IDL format and a bindings library with code generation supported across multiple target languages. This means that just one Mojo embedder process can make the core and bindings (written in C++, Java or JavaScript) interact with the core without much hassle.
Unfortunately, improper data validation here can potentially give an attacker a chance to inject arbitrary code that can then run on the target system and fetch additional payloads. This can also be converted to an RCE or Remote Code Execution vulnerability where the attacker doesn’t even require local access to your computer to inject malicious code.
While we’ll have to wait for Google to reveal exact details about the issue, this might just be the most likely cause behind the vulnerability.
In the News: TikTok partially breached: Over 2 billion database records at risk
