Update Chrome and Edge as soon as possible. A Chrome update patches a high-severity vulnerability.
Updated Information
The original post included an outdated version of Chrome. The correct version to update to is Chrome 105.0.5195.102.
September 6, 2022
This message was sent to U-M IT groups on Tuesday, September 6, 2022. It is intended for U-M IT staff who are responsible for university devices running the Google Chrome or Microsoft Edge web browsers. It will also be of interest to individuals who have Chrome or Edge installed on their own devices.
Summary
Update Chrome and Edge as soon as possible. A Chrome update (Chrome 105.0.5195.102) patches a high-severity vulnerability. Microsoft Edge, which is based on Chromium, also released an update (Edge 105.0.1343.27).
Google is aware of reports that an exploit exists in the wild. Be aware that by default, automatic updates to Chrome and Edge happen in the background when you relaunch the browser. If you seldom close and reopen Chrome or Edge, check the browser’s Settings > About for pending updates and update if necessary.
Problem
Google and Microsoft have announced a vulnerability (CVE-2022-3075) in the Chrome and Edge web browsers. According to The Verge, the vulnerability has to do with “Insufficient data validation” in Mojo, a collection of runtime libraries used by Chromium, the codebase that Google Chrome and Microsoft Edge are built on. Google is aware of reports that an exploit exists in the wild, although details about the attacks have not been made public. Google and Microsoft have released updates to fix the vulnerability.
Affected Versions
All versions of Google Chrome and Microsoft Edge.
Action Items
Update Chrome to version 105.0.5195.102 and Edge to version 105.0.1343.27 as soon as possible. Be aware that automatic updates to Chrome and Edge normally happen in the background when you relaunch the browsers. If you seldom close and reopen Chrome or Edge, check the browser’s Settings > About for pending updates and update if necessary.
Threats
Google is aware of reports that an exploit exists in the wild.
Technical Details
The issue concerns a case of insufficient data validation in Mojo, which refers to a collection of runtime libraries that provide a platform-agnostic mechanism for inter-process communication (IPC). Google is restricting access to bug details until a majority of users are updated with a fix.
How We Protect U-M
- MiWorkspace machines: The update is available for MiWorkspace managed machines. If necessary, please take time to relaunch the Chrome or Edge browser as soon as possible. Applying updates when they become available is the best protection for your UM-managed systems and devices.
- Personally managed or personally owned devices: It is your responsibility to secure any personally-managed U-M devices or personally-owned devices used for U-M business. ITS IA provides guidance on the Safe Computing website in the sections Manage U-M Workstations and Secure Your Devices to help you secure systems and devices you manage or personally own.
- ITS provides CrowdStrike Falcon to units, which should be installed on all U-M owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers). If you need assistance installing Falcon on a UM-owned device, contact your unit's Falcon administrator or Security Unit Liaison (SUL).
Questions, Concerns, Reports
Please contact ITS Information Assurance through the ITS Service Center.
References
- Google Chrome’s latest update has a security fix you should install ASAP (The Verge, 9/5/22)
- Chrome and Edge fix zero-day security hole – update now! (Naked Security, 9/5/22)
- Google Releases Urgent Chrome Update to Patch New Zero-Day Vulnerability (The Hacker News, 9/3/22)
- Stable Channel Update for Desktop (Google Chrome Releases, 9/2/22)