Google urgently released an out-of-band update on Friday, addressing an actively exploited zero-day flaw in the Chrome web browser. This marks the first bug of its kind to be resolved since the beginning of the year.
Addressing the exploited Zero-Day in Chrome
The vulnerability, tracked as CVE-2023-2033, is a high-severity type confusion issue in the V8 JavaScript engine. Google’s Threat Analysis Group (TAG) member Clement Lecigne reported the issue on April 11, 2023.
According to the NIST’s National Vulnerability Database (NVD), “Type confusion in V8 in Google Chrome prior to 112.0.5615.121 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.” Google admitted that an exploit for CVE-2023-2033 exists in the wild. However, they did not provide additional technical details or indicators of compromise (IoCs) to prevent further exploitation by threat actors.
CVE-2023-2033 shares similarities with four other actively abused type confusion flaws in V8 (CVE-2022-1096, CVE-2022-1364, CVE-2022-3723, and CVE-2022-4262) that Google fixed in 2022.
In 2022, Google resolved a total of nine zero-day vulnerabilities in Chrome. This update follows the recent disclosure by Citizen Lab and Microsoft of a now-patched flaw in Apple iOS, exploited by QuaDream’s customers to target journalists, political opposition figures, and an NGO worker in 2021.
Users should upgrade to version 112.0.5615.121 for Windows, macOS, and Linux to mitigate potential threats. Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes when they become available.
{{user}} {{datetime}}
{{text}}