Application security, Supply chain

Zero-day in Google Chrome patched: Bug exploited in the wild

Chrome Browser receives emergency patch

On Friday Google released an emergency security update for a zero-day vulnerability in its popular Chrome desktop browser that it reported is being actively exploited. The flaw impacts Windows, macOS and Linux versions of the Google Chrome desktop browser prior to build version 112.0.5615.121.

The vulnerability, tracked as CVE-2023-2033, has a CVSS rating of high and is classified as a confusion flaw located in Chrome's V8 open-source JavaScript engine. NIST's description of the flaw describes exploitation of the flaw allowing "a remote attacker to potentially exploit heap corruption via a crafted HTML page."

“Google is aware that an exploit for CVE-2023-2033 exists in the wild,” Google explained.

There are few additional details regarding the bug, as specifics are “kept restricted until a majority of users are updated with a fix.”

A confusion vulnerability, according to MITRE, “can lead to out-of-bounds memory access” in languages (C and C++) without memory protection. Confusion vulnerabilities, in the context of Chrome V8 Javascript, occur when “the program allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.”

The Friday patch update included a second security fix, however no CVE was provided for the second bug. Clément Lecigne of Google's Threat Analysis Group is credited for identifying the vulnerability (CVE-2023-2033), first spotted on April, 11.

Stephen Weigand

Stephen Weigand is managing editor and production manager for SC Media. He has worked for news media in Washington, D.C., covering military and defense issues, as well as federal IT. He is based in the Seattle area.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.