Emergency Chrome Update Addresses First Zero-Day of 2023
April 14, 2023
Google has issued an emergency security update for its Chrome browser to tackle the first zero-day vulnerability exploited in attacks since the beginning of the year. In a security advisory published on Friday, the company stated, "Google is aware that an exploit for CVE-2023-2033 exists in the wild." The new version is being rolled out to users in the Stable Desktop channel and is expected to reach the entire user base within days or weeks. Chrome users are advised to update to version 112.0.5615.121 as soon as possible, as this addresses the CVE-2023-2033 vulnerability on Windows, Mac, and Linux systems. The browser will also automatically check for new updates and install them without requiring user interaction after a restart.
The high-severity zero-day vulnerability (CVE-2023-2033) is attributed to a high-severity type confusion weakness in the Chrome V8 JavaScript engine. The bug was reported by Clement Lecigne of Google's Threat Analysis Group (TAG), which primarily focuses on defending Google customers from state-sponsored attacks. Google TAG frequently discovers and reports zero-day bugs exploited in highly-targeted attacks by government-sponsored threat actors seeking to install spyware on devices belonging to high-risk individuals, such as journalists, opposition politicians, and dissidents worldwide.
Although type confusion flaws typically allow attackers to cause browser crashes after successful exploitation by reading or writing memory out of buffer bounds, threat actors can also exploit them for arbitrary code execution on compromised devices. While Google acknowledged the existence of CVE-2023-2033 zero-day exploits used in attacks, the company has not yet provided further details about these incidents. Google explained, "Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed." This approach will enable Google Chrome users to update their browsers and block attack attempts until technical details are released, which could prevent more threat actors from developing their own exploits.
Latest News
- Google and CISA Issue Warning on Android Flaw Exploited by Chinese App
- Windows Admins Urged to Patch Critical MSMQ QueueJumper Bug
- Microsoft Offers Guidance on Detecting BlackLotus UEFI Bootkit Attacks
- Fortinet Addresses Critical Vulnerability in Data Analytics Solution
- Windows Zero-Day Exploited in Nokoyawa Ransomware Attacks
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.