Google Releases Emergency Patch for Actively Exploited Zero-Day Vulnerability in Chrome

3 mins read

Google has released an emergency security update to patch a zero-day vulnerability in its Chrome desktop browser, which was actively exploited in the wild.

Google recently released an emergency security update to address a zero-day vulnerability in its Chrome desktop browser, which the company has confirmed is being actively exploited. The vulnerability, tracked as CVE-2023-2033, affects versions of the browser prior to build version 112.0.5615.121 and has a high CVSS rating. It is classified as a confusion flaw located in Chrome's V8 open-source JavaScript engine, and allows a remote attacker to potentially exploit heap corruption through a crafted HTML page.

A confusion vulnerability can lead to out-of-bounds memory access in languages like C and C++ without memory protection. Confusion vulnerabilities, in the context of Chrome's V8 JavaScript, occur when the program allocates or initializes a resource, such as a pointer, object, or variable, using one type, but it later accesses that resource using a type that is incompatible with the original type. This leads to the program behaving in unexpected ways, and can potentially allow an attacker to take advantage of the confusion to execute arbitrary code.

The exploit for CVE-2023-2033 is already in the wild, according to Google. However, the company has not shared any additional technical details or indicators of compromise (IoCs) to prevent further exploitation by threat actors. Google has stated that it will keep specific information restricted until a majority of users have been updated with a fix.

Google has also not provided any additional details about the bug, the in-the-wild exploitation, indicators of compromise (IOCs), or any guidance on the profile of targeted machines. It is unclear who is behind the exploitation of this vulnerability, what their motives are, or how long they have been active.

In addition to addressing CVE-2023-2033, the patch update included a second security fix. However, no CVE was provided for the second bug. Clement Lecigne of Google's Threat Analysis Group is credited with identifying CVE-2023-2033, and Google's swift response to the vulnerability is commendable. The company has released an update to Chrome that will patch the vulnerability and roll out via the software's automatic patching mechanism over the coming days and weeks.

This zero-day flaw is the first one to be addressed by Google in 2023. Other tech giants, such as Microsoft and Apple, have also had to deal with zero-day exploits this year. Microsoft recently acknowledged a zero-day in its flagship Windows operating system, which was being exploited by ransomware actors. Apple also released a major patch last week to fix a pair of code execution flaws in its iOS, macOS, and iPadOS platforms.

So far this year, there have been 20 documented in-the-wild zero-day compromises, according to data tracked by SecurityWeek. Security defects in code from Microsoft, Apple, and Google account for 12 of the 20 zero-days in 2023. The fact that multiple zero-day vulnerabilities have been discovered and exploited this year highlights the importance of constant vigilance in the field of cybersecurity, and the need for organizations to take proactive measures to protect their systems.

The image used in this article was generated with the assistance of AI.