Google released an emergency security update for Chrome to address the first zero-day vulnerability exploited in attacks since the start of the year.

“Google is aware that an exploit for CVE-2023-2033 exists in the wild,” the search giant said in a security consulting released on Friday.

The new version is rolling out to users in the Stable Desktop channel and will reach the entire user base over the next few days or weeks.

Chrome users should upgrade to version 112.0.5615.121 as soon as possible, as it fixes the CVE-2023-2033 vulnerability on Windows, Mac, and Linux systems.

This update was immediately available when BleepingComputer checked for new updates in the Chrome menu > Help > About Google Chrome.

The web browser will also automatically check for new updates and install them without user intervention after a restart.

Google Chrome 112.0.5615.121

Details of the attack are not yet disclosed

The high-severity zero-day vulnerability (CVE-2023-2033) is due to a high severity type confusion weakness of the Chrome V8 JavaScript engine.

The bug was reported by Clément Lecigne of Google’s Threat Analysis Group (TAG), whose primary goal is to defend Google customers against state-sponsored attacks.

Google TAG frequently discovers and reports zero-day bugs exploited in highly targeted attacks by government-sponsored threat actors aimed at installing spyware on the devices of high-risk individuals, including journalists, politicians opposition and dissidents around the world.

Although type confusion flaws typically allow attackers to trigger browser crashes after successful exploitation by reading or writing memory outside the buffer boundaries, threat actors can also exploit them to execution of arbitrary code on compromised devices.

While Google has said it is aware of the CVE-2023-2033 zero-day exploits used in the attacks, the company has yet to share any additional information regarding these incidents.

“Access to bug details and links may be restricted until a majority of users are updated with a fix,” Google said.

“We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but have not yet been fixed.”

This will allow Google Chrome users to update their browsers and block attack attempts until technical details are released, allowing more malicious actors to develop their own exploits.



Source link