Google fixes new Chrome zero-day flaw with exploit in the wild


Google has released a security update for Chrome web browser to address the third zero-day vulnerability that hackers exploited this year.

“Google is aware that an exploit for CVE-2023-3079 exists in the wild,” reads the security bulletin.

Exploitation details unknown

The company has not released details about how the exploit and how it was used in attacks, limiting the information to the severity of the flaw and its type.

Withholding technical information is the usual stance from Google when a new security issue is found. This is to protect users until most of them migrated to secure version, as adversaries could use the details to develop additional exploits.

“Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed” – Google

CVE-2023-3079 has been assessed to be a high-severity issue and it was discovered by Google’s researcher Clément Lecigne on June 1, 2023, and is a type confusion in V8, Chrome’s JavaScript engine tasked with executing code within the browser.

Type confusion bugs arise when the engine misinterprets the type of an object during runtime, potentially leading to malicious memory manipulation and arbitrary code execution.

The first zero-day vulnerability that Google fixed in Chrome this year was CVE-2023-2033, which is also a type confusion bug in the V8 JavaScript engine.

A few days later, Google released an emergency security update for Chrome to patch CVE-2023-2136, an actively exploited vulnerability impacting the browser’s 2D graphics library, Skia.

Zero-day vulnerabilities are often exploited by sophisticated state-sponsored threat actors, aiming primarily at high-profile figures within government, media, or other vital organizations. Therefore, it is strongly recommended that all Chrome users install the available security update as soon as possible.

Along with fixing a new zero-day, the latest Chrome version addresses various issues discovered from internal audits and code fuzzing analysis.

Google says the update will roll out in the coming days/weeks, so it is a gradual distribution that won’t reach everyone simultaneously.

Update Chrome browser

To start the Chrome update procedure manually to the latest version that addresses the actively exploited security issue, head to the Chrome settings menu (upper right corner) and select Help → About Google Chrome.

Relaunching the application is required to complete the update.

Chrome about

Available security updates are also automatically installed the next time the browser starts without user intervention, so check the “About” page to ensure you’re running the latest version.

The new stable channel release addressing the flaw that has an exploit in the wild is version 114.0.5735.110 for Windows and 114.0.5735.106 for Mac and Linux.



Source link