New Google Chrome zero-day allows arbitrary code execution
Google says it has fixed a high-severity flaw in its Chrome browser which is currently being exploited by threat actors in the wild.
In a security advisory, the company described the flaw being abused and urged the users to apply the fix immediately.
“Google is aware that an exploit for CVE-2023-2033 exists in the wild,” the advisory reads.
Automatic updates
The zero-day in question is a confusion weakness vulnerability in the Chrome V8 JavaScript engine, the company said. Usually, this type of flaw can be used to crash the browser, but in this case it can also be used to run arbitrary code on compromised endpoints.
The flaw was discovered by Clement Lecigne from the Google Threat Analysis Group (TAG). Usually, TAG works on finding flaws abused by nation-states, or state-sponsored threat actors. There is no word on who the threat actors abusing this flaw are, though.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Google said. “We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.”
To remedy the vulnerability, users should make sure to update their browsers to version 112.0.5615.121 as soon as possible. The fix addresses the flaw on Windows, Mac, and Linux operating systems. To bring the browser up to date, users should head over to the Chrome menu (three horizontal dots in the upper right corner of the window) and navigate to Help > About Google Chrome. For us, the update was available immediately upon pressing the “check for new updates” button. Google, however, claims that the update should be available to all Chrome users “in the coming days and weeks”.
The update also required a browser reboot.
