The company recommends that all users update their desktop versions of the browser immediately.
Google released an emergency update for Chrome to address a zero-day security flaw.
A vulnerability, known as CVE-2023-2033, “can be exploited by a malicious webpage to run arbitrary code in the browser”. In other words, a user who visits a bad website with a vulnerable browser could have their device “hijacked”. Exploit code for this hole is said to be circulating, the report warns, and so there is already a potential threat from malefactors.
Also read: Google Chrome received a speed boost after a performance update
Who’s vulnerable?
The bug, which occurs in the V8 JavaScript engine, is present in Chrome for desktop versions prior to 112.0.5615.121. That’s the version Google released on April 14 for Windows, Mac, and Linux to fix the security flaw.
The vulnerability is described as “high severity” type-confusion flaw and so users should install the new version of Chrome “as soon as possible, either automatically or manually”.
The bug was found and reported by Clément Lecigne of Google’s Threat Analysis Group (TAG) on April 11. The update notice states that “Google is aware that an exploit for CVE-2023-2033 exists in the wild”, This fix is the first zero-day in Chrome squashed by Google this year.
Full details on how exactly the bug could be or was exploited have not yet been released, but Google suggests that users can visit the Chrome Security Page for more information. This latest version of Chrome also includes “various fixes from internal audits, fuzzing and other initiatives”, according to Google.
“Many of our security bugs are detected using AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, or AFL”, the company added.
9 hours ago
