Google Chrome Update Released to Fix Actively Exploited Zero-Day

17.04.23

Threat Intelligence Alerts

Google Chrome/Chromium Web Browser (Windows, Mac and Linux)

On the 4th of April, a Google Threat Analysis Group (TAG) member discovered a Zero-Day vulnerability in the V8 JavaScript Engine developed by Google and used in Google Chrome. The vulnerability, tracked on the National Vulnerability Database (NVD) as CVE-2023-2033, is a Type Confusion vulnerability.

A Type Confusion vulnerability occurs when a program allocates or initialises a resource using one type. Still, it then later accesses the same resource using a type that is incompatible with the original type. This vulnerability can make accessing memory that usually is out-of-bounds possible, leading to more worrying vulnerabilities such as arbitrary code execution. In the Chrome Releases blog post, Google said they were ‘aware that an exploit for CVE-2023-2033 exists in the wild’.

A patch intended to fix this vulnerability began rolling out on the 14th of April. At the time of writing, the NVD has not yet published its NVD score as it is still in the analysis phase. Google has given this vulnerability the Chromium Security Severity of ‘High’ (their scale ranges from Low to Critical) and noted that the bug details would remain restricted until a majority of users have installed the update.

More information regarding the vulnerability will not be available until Google makes the bug report public.

The new update (version 112.0.5615.121) is still being rolled out to users and should be available to all users in the following days or weeks. Chrome should automatically update, but it is worth manually checking by clicking the three dots in the top right-hand corner of Chrome > Help > About Google Chrome.