Yet another zero-day attack on widely used software from a major technology provider. To address a security flaw that has already been publicly exploited, Google released a significant upgrade to Chrome Desktop on Friday, joining the list of vendors grappling with zero-day assaults.
The high-severity flaw, identified as CVE-2023-2033, is characterized as a type of confusion in the JavaScript engine of Chrome V8. In a brief advisory, Google stated it was “aware that an exploit for CVE-2023-2033 exists in the wild.” Clément Lecigne of Google’s Security Analysis Group is credited with discovering the problem.
The business gave no additional information on the flaw, its in-the-wild exploitation, indicators of compromise (IOCs), or any instructions regarding the characteristics of the targeted devices.
Google stated that until most users have been updated with a fix, access to problem details and links can be restricted. The business stated that it might keep limits even if a third-party library used by similar applications has a flaw that hasn’t been patched yet.
The patch is being deployed to Chrome 112.0.5615.121 for Windows, Mac, and Linux, and it will spread out over the next few days/weeks using the program’s automatic patching system.
Days before the release of the Chrome zero-day patch, Microsoft acknowledged that ransomware perpetrators had exploited a zero-day in its widely used Windows operating system.
Apple has struggled with zero-day attacks, just like Google and Microsoft, and released a significant patch a week ago to address two code execution vulnerabilities in its iOS, macOS, and iPadOS systems. There have been 20 confirmed in-the-wild zero-day intrusions this year. Twelve of the twenty zero-day vulnerabilities in 2023 are due to security flaws in software from Microsoft, Apple, and Google.
Conclusion
On Tuesday, Google released emergency remedies for another actively exploited high-severity Chrome zero-day issue. Integer overflow in Skia, an open-source 2D graphics package, is CVE-2023-2136. On April 12, 2023, Google’s Threat Analysis Group (TAGClément )’s Lecigne discovered and reported the problem. According to NIST’s National Vulnerability Database, “Integer overflow in Skia in Google Chrome before 112.0.5615.137 permitted a remote attacker who had infiltrated the renderer process to potentially accomplish a sandbox escape via a forged HTML page” (NVD).
The tech giant, which repaired seven other security flaws with the newest update, said it’s aware of active exploitation of the bug but didn’t provide details to avoid future abuse. Google corrected CVE-2023-2033 last week, but hostile actors exploited a second Chrome zero-day vulnerability days later. In-the-wild assaults may have chained the two zero-days. For security, Windows, macOS, and Linux users should upgrade to 112.0.5615.137. Chromium-based browsers, including Microsoft Edge, Brave, Opera, and Vivaldi, should also apply the changes when they become available.
