Google has issued an emergency security update for its Chrome browser to tackle the first zero-day vulnerability exploited in attacks since the beginning of the year. In a security advisory published on Friday, the company stated, "Google is aware that an exploit for CVE-2023-2033 exists in the wild." The new version is being rolled out to users in the Stable Desktop channel and is expected to reach the entire user base within days or weeks. Chrome users are advised to update to version 112.0.5615.121 as soon as possible, as this addresses the CVE-2023-2033 vulnerability on Windows, Mac, and Linux systems. The browser will also automatically check for new updates and install them without requiring user interaction after a restart.
Although type confusion flaws typically allow attackers to cause browser crashes after successful exploitation by reading or writing memory out of buffer bounds, threat actors can also exploit them for arbitrary code execution on compromised devices. While Google acknowledged the existence of CVE-2023-2033 zero-day exploits used in attacks, the company has not yet provided further details about these incidents. Google explained, "Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed." This approach will enable Google Chrome users to update their browsers and block attack attempts until technical details are released, which could prevent more threat actors from developing their own exploits.