Google fixes new Chrome zero-day vulnerability with exploit in the wild

Exploitation details Not released :

The corporation has only disclosed information regarding the kind and severity of the bug, excluding information about the exploit's use in attacks.

"Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed" - Google"

Google typically takes the position of withholding technical information when a new security flaw is discovered. Since attackers could use the information to create new attacks, this is done to protect users until the majority of them transition to the secure version.

A type confusion in V8, Chrome's JavaScript engine responsible for running code inside the browser, has been rated as a high-severity flaw and was found by Google researcher Clément Lecigne on June 1, 2023.

Type confusion vulnerabilities happen when the engine incorrectly interprets an object's type during runtime, which can result in unauthorised code execution and malicious memory manipulation.

CVE-2023-2033, a type misunderstanding flaw in the V8 JavaScript engine, was the first zero-day vulnerability that Google patched in Chrome this year.

A few days later, Google released an emergency security update for Chrome to patch CVE-2023-2136, an actively exploited vulnerability impacting the browser's 2D graphics library, Skia.

Zero-day vulnerabilities are often exploited by sophisticated state-sponsored threat actors, aiming primarily at high-profile figures within government, media, or other vital organizations. Therefore, it is strongly recommended that all Chrome users install the available security update as soon as possible.

Along with fixing a new zero-day, the latest Chrome version addresses various issues discovered from internal audits and code fuzzing analysis.

Google says the update will roll out in the coming days/weeks, so it is a gradual distribution that won't reach everyone simultaneously.

Update Chrome browser:

Go to the Chrome settings menu (upper right corner) and choose Help About Google Chrome to manually begin the Chrome upgrade process to the most recent version that fixes the actively exploited security flaw.

To finish the update, the application must be relaunched.

Google about

Check the "About" tab to make sure you're running the most recent version because any available security updates are also automatically installed the following time the browser starts without user intervention.

Version 114.0.5735.110 for Windows and 114.0.5735.106 for Mac and Linux are the latest stable channel releases that fix the bug for which there is a public exploit.