A few days after Google patched a high-severity bug that was being exploited in the wild, Microsoft has done the same for Edge.
Tracked as CVE-2022-2294, the flaw is present in the Chromium browser engine, which means both Chrome and Edge are affected.
Other than revealing the zero-day is being exploited in the wild, Google has kept the details to itself. This is most likely to give users enough time to patch (opens in new tab) their endpoints, and to avoid supplying threat actors with ammunition for further attacks.
Known zero-day
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Google said. “We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven’t yet fixed.”
We do know the flaw is a high-severity heap-based buffer overflow weakness, discovered by Avast’s Jan Vojtesek, in the WebRTC (Web Real-Time Communications) component.
In the same vein, Microsoft has decided to stay tight-lipped as well. “This update contains a fix for CVE-2022-2294, which has been reported by the Chromium team as having an exploit in the wild,” the company said in the patch log.
The Edge build that plugged the hole is 103.0.1264.48, and users are advised to update immediately, in case the browser doesn’t do so automatically.
To make sure you are running the latest version of the browser, open up the menu and navigate to Help and Feedback > About Microsoft Edge.