Google Addresses Third Chrome Zero-Day Exploit in 2023

June 6, 2023

Google has issued a security update for its Chrome web browser, addressing the third zero-day vulnerability that has been exploited in 2023. According to the security bulletin, "Google is aware that an exploit for CVE-2023-3079 exists in the wild." However, the company has chosen not to release details about the exploit or its use in attacks, only providing information on the severity of the flaw and its nature. This approach is typical for Google when a new security issue is discovered, as it aims to protect users until most have migrated to a secure version and to prevent adversaries from using the details to develop additional exploits. Google states, "Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed."

CVE-2023-3079 is considered a high-severity issue and was discovered by Google researcher Clément Lecigne on June 1, 2023. The vulnerability is a type confusion in V8, Chrome's JavaScript engine responsible for executing code within the browser. Type confusion bugs occur when the engine incorrectly interprets the type of an object during runtime, potentially leading to malicious memory manipulation and arbitrary code execution.

Earlier this year, Google fixed the first zero-day vulnerability in Chrome, CVE-2023-2033, which was also a type confusion bug in the V8 JavaScript engine. Shortly after, the company released an emergency security update to patch CVE-2023-2136, an actively exploited vulnerability affecting Chrome's 2D graphics library, Skia. Zero-day vulnerabilities are frequently exploited by sophisticated state-sponsored threat actors, primarily targeting high-profile individuals within government, media, or other essential organizations. As a result, it is strongly recommended that all Chrome users install the available security update as soon as possible.

In addition to fixing the new zero-day, the latest Chrome version addresses various issues discovered through internal audits and code fuzzing analysis. Google indicates that the update will roll out gradually over the coming days or weeks, so not everyone will receive it simultaneously. To manually initiate the Chrome update process to the latest version addressing the actively exploited security issue, users can navigate to the Chrome settings menu (upper right corner) and select Help → About Google Chrome. Relaunching the application is necessary to complete the update. Security updates are also automatically installed when the browser starts without user intervention, so users should check the "About" page to ensure they are running the latest version. The stable channel release addressing the flaw with an exploit in the wild is version 114.0.5735.110 for Windows and 114.0.5735.106 for Mac and Linux.

Related News

• Google Releases Security Update for Actively Exploited Chrome Zero-Day
• Emergency Chrome Update Addresses First Zero-Day of 2023

Latest News

• Google Patches Third Actively Exploited Chrome Zero-Day in 2023
• Major Companies Affected by MOVEit Zero-Day Attack
• KeePass v2.54 Update Addresses Master Password Leakage Bug
• Clop Ransomware Gang Linked to MOVEit Data-Theft Attacks by Microsoft
• Zyxel Encourages Firmware Updates to Protect Firewalls from Exploited Vulnerabilities