谷歌已发布适用于 Windows、Mac 和 Linux 的 Chrome 100.0.4896.127 补丁,以修复正在被积极使用的高严重性零日漏洞:CVE-2022-1364。

修复的零日漏洞被跟踪为 CVE-2022-1364,是 Chrome V8 JavaScript 引擎中的一个高严重性类型混淆漏洞。类型混淆 Bug 通常会在成功利用缓冲区边界外读取或写入内存后导致浏览器崩溃,但攻击者也可以利用它们执行任意代码。

Google has released the Chrome 100.0.4896.127 patch for Windows, Mac, and Linux to fix a high-severity zero-day vulnerability that is being actively used: CVE-2022-1364.

The fixed zero-day vulnerability, tracked as CVE-2022-1364, is a high-severity type confusion vulnerability in the Chrome V8 JavaScript engine. Type confusion bugs typically crash the browser after successfully exploiting a memory read or write outside of buffer boundaries, but they can also be exploited by an attacker to execute arbitrary code.

The vulnerability was discovered by Clément Lecigne of Google’s Threat Analysis Team and reported the vulnerability to the Google Chrome team on Twitter.

The latest vulnerability patch includes two security fixes, and a mandatory update will be rolled out in the next few days/weeks. Once a mandatory update is rolled out, the browser will automatically check for new updates and install them when Google Chrome is closed and restarted. But users can manually update the patch version immediately by going to Chrome Menu > Help > About Google Chrome.

Google said in the security bulletin released: “We are aware that the CVE-2022-1364 vulnerability exists in the wild.” Considering that the vulnerability has been actively exploited, it is recommended that you quickly update it manually.

该漏洞由谷歌威胁分析小组的 Clément Lecigne 发现,并在推特上向谷歌 Chrome 团队报告了漏洞。

最新的漏洞补丁包括两个安全修复程序,将在接下来的几天/几周内推出强制更新,推出强制更新后,浏览器会在关闭并重新启动 Google Chrome 时自动检查新更新并安装。但用户可以通过进入 Chrome 菜单 > 帮助 > 关于 Google Chrome 立即手动更新该补丁版本。

谷歌在发布的安全公告中表示:“我们意识到 CVE-2022-1364 漏洞有在野外存在的案例。”考虑到该漏洞已被积极利用,建议大家赶紧手动更新一波。

点击下载最新版

谷歌浏览器 Google Chrome v100.0.4896.127 正式版附送官方下载地址

发表评论

后才能评论