Google Chrome Hit By Another 2022 Zero-Day Hack

03/29 Update below. This post was originally published on March 26

Google has issued an urgent upgrade warning to its billions of Chrome users around the world. Here is everything you need to know to stay safe.

MORE FROM FORBESGoogle Confirms Rise In Serious Chrome Attacks – And Why

Google issued the warning on its official Chrome blog, revealing that Chrome on Windows, macOS and Linux is vulnerable to a new ‘zero-day’ hack (CVE-2022-1096). Zero-day is the most dangerous form of attack because it means the vulnerability is known to hackers before Google could issue a fix. As the company admits, “Google is aware that an exploit for CVE-2022-1096 exists in the wild.” This means every Chrome user is vulnerable.

03/28 Update: Microsoft has now confirmed that the same zero-day hack affects its Edge browser. The company published a new update on its Security Response Center confirming that the exploit impacts all Chromium-based browsers: “The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based).” This means that other Chromium-based browsers, including Amazon Silk, Brave, Opera, Samsung Internet (bundled on its Galaxy smartphones), Vivaldi and Yandex browser are all highly likely to have been affected.

Microsoft also confirms that it has released a fix for Edge based on the Chromium update that Google already launched for Chrome. To get it, follow these steps:

  1. In your Microsoft Edge browser, click on the 3 dots (…) on the very right-hand side of the window
  2. Click on ‘Help and Feedback’
  3. Click on ‘About Microsoft Edge’

Microsoft states that the patched version of Edge is 99.0.1150.553, so if your browser is showing a lower number then you are still vulnerable.

Google is currently restricting information about the exploit to buy time for Chrome users to upgrade. At the time of publication, all the company has revealed is the threat level (“High”), the area of attack and who discovered it (it was an anonymous tip-off):