Photo by Hadrian / Shutterstock.com
Google has shipped an emergency patch to fix a zero-day vulnerability in Chrome, tracked as CVE-2023-2033. When exploited, the vulnerability lets a remote attacker run arbitrary code within the browser, meaning surfing a malicious website with a vulnerable version of the browser can lead to your device being hijacked.
It’s a confusion-type flaw that generally allows attackers to trigger browser crashes post-exploitation by reading or writing memory out of its buffer bounds. That said, as is the case here, threat actors can also use the vulnerability to run arbitrary code on vulnerable devices.
According to Google, the vulnerability itself was discovered by Clément Lecigne of the company’s Threat Analysis Group on April 11. As is the protocol, full details on how the bug functions and can be exploited haven’t yet been released to keep attacks to a minimum while customers install the new update. These restrictions will also be refrained in case the bug exists in a third-party library that other projects might depend on, but haven’t yet fixed.
Additionally, this update also includes a number of other fixes from “internal audits, fuzzing and other initiatives”. As for CVE-2023-2033, this is the first zero-day bug Google has patched this year. The aforementioned new version is now rolling out to users in the Stable Desktop channel and will reach the entire user base over the coming few weeks.
In the News: LockBit ransomware is now targeting macOS