On Friday, Google issued urgent updates to its Chrome web browser, addressing an actively exploited zero-day vulnerability. This critical security flaw, identified as CVE-2023-2033, marks the first major bug fix of the year.
The vulnerability, classified as a high-severity type confusion issue within the V8 JavaScript engine, poses significant risks for users. Notably, Clement Lecigne from Google’s Threat Analysis Group first reported the issue on April 11, 2023.
“Type confusion in V8 prior to version 112.0.5615.121 permitted attackers to exploit potential heap corruption through specially crafted HTML pages,” states the NIST National Vulnerability Database (NVD).
Google has acknowledged that an exploit for CVE-2023-2033 is already in circulation. While the company has refrained from disclosing extensive technical details or indicators of compromise to mitigate further risks, it underscores the urgent need for users to update their systems.
This newly disclosed vulnerability has characteristics akin to previous type confusion flaws, including CVE-2022-1096, CVE-2022-1364, CVE-2022-3723, and CVE-2022-4262, all of which were actively exploited last year.
Last year, Google successfully addressed nine zero-day vulnerabilities in Chrome. This latest development follows recent reports from Citizen Lab and Microsoft regarding the exploitation of a patched iOS vulnerability by customers of QuaDream, a controversial spyware vendor targeting various groups, including journalists and opposition figures.
Additionally, this event comes on the heels of Apple releasing updates for two zero-day vulnerabilities in its ecosystem, specifically CVE-2023-28205 and CVE-2023-28206, which could lead to arbitrary code execution across iOS, iPadOS, macOS, and the Safari browser.
It is advisable for users to update to version 112.0.5615.121 of Chrome on Windows, macOS, and Linux to counter potential threats. Furthermore, users of Chromium-based browsers, including Microsoft Edge, Brave, Opera, and Vivaldi, should also implement the necessary updates as they become available.