By Jack Phillips
Google released an emergency update to resolve an actively exploited flaw in its highly popular Chrome browser.
The bug, tracked as CVE-2023-2033, was deemed a “high” severity vulnerability by Google in an update posted on April 14. “Google is aware that an exploit for CVE-2023-2033 exists in the wild,” the search giant wrote in its advisory, meaning the bug is being actively targeted by malign actors.
The new Chrome version is rolling out to users who are using the Windows, Mac, and Linux stable versions of the browser. The entire Chrome suite will likely get those updates in the coming days to weeks.
According to the federal National Vulnerability Database, the exploit stems from a “type confusion in V8 in Google Chrome” that allows “a remote attacker to potentially exploit heap corruption via a crafted HTML page.” No further details were released about the bug by Google.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven’t yet fixed,” Google said.
This update was available when The Epoch Times attempted to check for new updates via the Chrome menu > Help > About Google Chrome. The browser will also automatically check for the latest updates and install them without requiring user input following a restart of the browser, but many users may leave their browsers open for extended periods of time without closing or updating.
Users are advised to upgrade to version 112.0.5615.121 for Windows, Mac, and Linux to prevent any possible attacks. Those who use Chromium-based browsers such as Brave, Tusk, Opera, Vivaldi, Microsoft Edge, and various “unGoogled” Chromium versions are advised to apply the updates upon availability.
Data from Statista shows that Google Chrome is estimated to be used by more than 3 billion people worldwide, making it the most popular browser by far. No. 2 on the list is Apple’s Safari, with about 576 million.
Forbes magazine noted that the April 14 patch is the first “zero day” bug to be addressed by Google Chrome so far in 2023. “Google has done an incredible job patching Chrome vulnerabilities this year, and it is remarkable that we got to April before the first Zero-Day exploit occurred. To put this in perspective, Chrome had 15 Zero Day exploits in 2021 and nine in 2022, so the progress is clear,” a technology writer for the magazine noted.
Separately, the Department of Homeland Security’s (DHS) cybersecurity agency recently advised users and administrators to update their Apple, Microsoft, and Adobe devices and products after a handful of security vulnerabilities were found.
“Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected device,” said the Cybersecurity Infrastructure & Security Agency in a statement on April 11.
This week, Apple rolled out its security update to older Apple iPhones, iPads, Mac desktop computers, and Macbooks after it released iOS and iPadOS 16.4.1 and macOS Ventura 13.3.1 to fix two actively exploited security flaws. That update was extended to older devices, including those that use iOS and iPadOS 15.7.5, macOS Monterey 12.6.5, and macOS Big Sur 11.7.6 to patch the same security bugs.