Photo by Hadrian / Shutterstock.com
Google has shipped an emergency patch to fix a zero-day vulnerability in Chrome, tracked as CVE-2023-2033. When exploited, the vulnerability lets a remote attacker run arbitrary code within the browser, meaning surfing a malicious website with a vulnerable version of the browser can lead to your device being hijacked.
It’s a confusion-type flaw that generally allows attackers to trigger browser crashes post-exploitation by reading or writing memory out of its buffer bounds. That said, as is the case here, threat actors can also use the vulnerability to run arbitrary code on vulnerable devices.
The vulnerability is present in at least Chrome’s desktop versions prior to 112.0.5615.121. The bug lies in the V8 JavaScript engine used by the browser and was patched by Google in an April 14 update for Windows, Linux and macOS. Since the exploit code for the vulnerability is already said to be circulating and may very well already be in use, it’s recommended that Chrome users update their browsers at the earliest.
According to Google, the vulnerability itself was discovered by Clément Lecigne of the company’s Threat Analysis Group on April 11. As is the protocol, full details on how the bug functions and can be exploited haven’t yet been released to keep attacks to a minimum while customers install the new update. These restrictions will also be refrained in case the bug exists in a third-party library that other projects might depend on, but haven’t yet fixed.
Additionally, this update also includes a number of other fixes from “internal audits, fuzzing and other initiatives”. As for CVE-2023-2033, this is the first zero-day bug Google has patched this year. The aforementioned new version is now rolling out to users in the Stable Desktop channel and will reach the entire user base over the coming few weeks.
In the News:Â LockBit ransomware is now targeting macOS
