Microsoft has followed Google’s lead and issued an update for its Edge browser following the arrival of a WebRTC zero-day.
The Windows giant uses the Chromium engine in its latest browser. As such, when something needs urgent fixing in Chrome, one can expect Edge to follow not far behind. For CVE-2022-2294 and CVE-2022-2295, a new version of Edge has been pushed out, taking the version number in the stable channel to 103.0.1264.49.
Most serious of the duo is CVE-2022-2294, a heap buffer overflow in the open-source real-time comms platform WebRTC, which, according to Google, is being actively exploited.
Other than an update, there has been precious little information on how to defend against the vulnerability. Microsoft remained tight-lipped on the matter, merely saying that since Edge “ingests” Chromium, the vulnerabilities had been addressed.
The other fix in the maintenance release, that should get downloaded automatically, is CVE-2022-2295, which is a type confusion in V8, Google’s JavaScript engine. The issue appears to be bedevilling the search giant’s browser project. CVE-2022-1096 (fixed in March) also suffered from type confusion issues, which could lead to out-of-bounds memory access.
Confusion might also apply to the numbering of the vulnerabilities between tech giants. While Microsoft’s Security Update Guide supports CVEs assigned by industry partners (such as Chromium), it appears to have switched the numbers around and listed CVE-2022-2294 as the type confusion and 2295 as the WebRTC whoopsie. The Register contacted the company for clarification. After all, if they can’t keep their numbers straight, what hope can we have for them fixing the browser?
Microsoft’s Edge browser originally used Microsoft’s own proprietary browser engine. The company admitted defeat in 2019 and adopted Chromium. A release to general availability happened in January 2020.
Microsoft has since been forcing the app down the throat of users as it seeks to regain lost eyeballs. At the time of writing, Microsoft Edge had reached double figures in terms of marketshare, ahead of rivals such as Firefox, but still a long way behind Chrome.
While the adoption of Chromium has eased the compatibility headaches of Edge, vulnerabilities in the Chromium rendering engine will apply equally to Edge as well as Chrome (and other browsers based on the code.)
As well as a fix for the stable version, Microsoft also issued a patch for the extended stable incarnation, bringing the version number to 102.0.1245.56. ®