Another day, another zero-day attack hitting widely deployed software from a big tech provider.
Google on Friday joined the list of vendors dealing with zero-day attacks, rolling out a major Chrome Desktop update to fix a security defect that’s already been exploited in the wild.
The high-severity vulnerability, tracked as CVE-2023-2033, is described as a type confusion in the Chrome V8 JavaScript engine.
“Google is aware that an exploit for CVE-2023-2033 exists in the wild,” the company said in a barebones advisory that credits Clément Lecigne of Google’s Threat Analysis Group for reporting the issue.
The company did not provide any additional details of the bug, the in-the-wild exploitation, indicators of compromise (IOCs) or any guidance on the profile of targeted machines.
Google said access to bug details and links may be kept restricted until a majority of users are updated with a fix. The company said it may also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.
The patch is being pushed to Chrome 112.0.5615.121 for Windows Mac and Linux and will roll out via the software’s automatic patching mechanism over the coming days/weeks.
The Chrome zero-day patch comes days after Microsoft acknowledged a zero-day in its flagship Windows operating system was being hit by ransomware actors.
Like Google and Microsoft, Apple has also struggled with zero-day exploits and shipped a major patch a week ago to fix a pair of code execution flaws in its iOS, macOS iPadOS platforms.
So far this year, there have been 20 documented in-the-wild zero-day compromises, according to data tracked by SecurityWeek. Security defects in code from Microsoft, Apple and Google account for 12 of the 20 zero-days in 2023.
Related: Microsoft Patches Another Already-Exploited Windows Zero-Day
Related: Apple Ships Urgent iOS Patch for Newly Exploited Zero-Days
Related: Adobe Plugs Gaping Security Holes in Reader, Acrobat
Related: Windows Zero-Day Exploited in Nokoyawa Ransomware Attacks
Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.
More from Ryan Naraine
- Microsoft Catches Chinese .Gov Hackers Targeting US Critical Infrastructure
- Researchers Spot APTs Targeting Small Business MSPs
- Mikrotik Belatedly Patches RouterOS Flaw Exploited at Pwn2Own
- Red Hat Pushes New Tools to Secure Software Supply Chain
- Investors Make $6M Bet on Manifest for SBOM Management Technology
- Entro Raises $6M to Tackle Secrets Sprawl
- IBM Snaps up DSPM Startup Polar Security
- Huntress Closes $60M Series C for MDR Expansion
Latest News
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation
- Google Cloud Users Can Now Automate TLS Certificate Lifecycle
- Zyxel Firewalls Hacked by Mirai Botnet
- Watch Now: Threat Detection and Incident Response Virtual Summit
- NCC Group Releases Open Source Tools for Developers, Pentesters
- Memcyco Raises $10 Million in Seed Funding to Prevent Website Impersonation
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
