Google on Monday released a Chrome 114 security update that patches the third zero-day vulnerability found in the web browser in 2023.
The internet giant noted that the vulnerability, discovered on June 1, has been exploited in the wild, but has not shared any information on the attacks.
However, the fact that the security hole and its exploitation were discovered by Clement Lecigne of Google’s Threat Analysis Group suggests that CVE-2023-3079 has likely been exploited by a commercial spyware vendor.
Google regularly publishes blog posts describing the exploits used by various spyware vendors, which typically advertise their products for lawful surveillance by government agencies. However, their solutions have often been abused by totalitarian regimes to spy on critics.
In many cases, spyware vendors integrate Chrome vulnerabilities into complex exploit chains that are designed to target Android devices.
Google announced recently that it’s temporarily offering up to $180,000 through its bug bounty program for a full chain exploit that leads to a sandbox escape in Chrome.
In 2022, the company patched nine Chrome zero-days, including five discovered by its Threat Analysis Group.