Google has released an out-of-band update to fix a zero-day vulnerability that has been actively exploited by threat actors in its Chrome web browser. This is the first such bug to be addressed since the start of the year. The high-severity vulnerability, tracked as CVE-2023-2033, has been described as a type confusion issue in the V8 JavaScript engine. Clement Lecigne of Google's Threat Analysis Group (TAG) has been credited with reporting the issue on April 11, 2023.
The National Vulnerability Database (NVD) has reported that "Type confusion in V8 in Google Chrome prior to 112.0.5615.121 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page." Google has acknowledged that "an exploit for CVE-2023-2033 exists in the wild" and has urged users to update their browsers immediately. The company has not shared additional technical details or indicators of compromise (IoCs) to prevent further exploitation by threat actors.
According to reports, CVE-2023-2033 shares similarities with four other actively abused type confusion flaws in V8, namely CVE-2022-1096, CVE-2022-1364, CVE-2022-3723, and CVE-2022-4262, which were remediated by Google in 2022. The development comes days after Citizen Lab and Microsoft disclosed the exploitation of a now-patched flaw in Apple iOS by customers of a shadowy spyware vendor named QuaDream to target journalists, political opposition figures, and an NGO worker in 2021.
Users are advised to upgrade to version 112.0.5615.121 for Windows, macOS, and Linux to mitigate potential threats. Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available. Google has been vigilant in patching Chrome vulnerabilities this year, with this being the first zero-day exploit discovered in 2023. By taking prompt action and updating their browsers, users can protect themselves from potential security breaches and stay safe while browsing the internet.
0 Comments