An avalanche of updates to many popular browsers came to public. The reason is a nasty vulnerability in one of the dependencies of Chromium engine.
The vulnerability is also known as CVE-2022-3075: Insufficient data validation in Mojo was recently fixed by Google. As a result, Google published a new version of Chrome (stable track) and Chromium 105.0.5195.102 - for Windows, MacOS and Linux.
Interesting thing is that the scale and impact of this vulnerability is yet to be understood. As it's found in a Mojo library, the list of affected software not only include many of family of Google browsers, but also all Chromium-based browsers like Microsoft Edge, Brave, Opera, and Vivaldi, plus any other software that depends on vulnerable version of Mojo. Isn't it nice?
From the Google Chromium source code page, Mojo is a collection of runtime libraries providing a platform-agnostic abstraction of common IPC primitives, a message IDL format, and a bindings library with code generation for multiple target languages to facilitate convenient message passing across arbitrary inter- and intra-process boundaries. In other words, it's one of this universal cross-platform layers to ease software developers life by hiding operating system details. The program code becomes the same for all platforms. Apache APR is another popular example. But the downside of it cannot be underestimated: a bug will automatically affect large scale of "consumers".
Below is an example of massive update activity performed by operating system maintainers:
-
many others ...
Useful Links