Google has released an emergency Chrome security update to address the first zero-day vulnerability exploited in attacks since the start of the year. The vulnerability, identified as CVE-2023-2033, is a type confusion weakness in the Chrome V8 JavaScript engine that could allow attackers to trigger browser crashes and execute arbitrary code on compromised devices.
The bug was discovered by Clement Lecigne of Google’s Threat Analysis Group (TAG), which is tasked with defending Google customers from state-sponsored attacks.
Google has stated that an exploit for the vulnerability exists in the wild, and although it knows of CVE-2023-2033 zero-day exploits used in attacks, the company has yet to share further information regarding these incidents.
As a result, Google has advised Chrome users to upgrade to version 112.0.5615.121 as soon as possible, as it addresses the vulnerability on Windows, Mac, and Linux systems. The web browser will automatically check for new updates and install them without requiring user interaction after a restart.
Google TAG frequently reports zero-day bugs exploited in highly targeted attacks by government-sponsored threat actors aiming to install spyware on devices of high-risk individuals, including journalists, opposition politicians, and dissidents worldwide.
In response, Google will keep access to bug details and links restricted until a majority of users are updated with a fix. It will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on but haven’t yet fixed, allowing Chrome users to upgrade their browsers and block attack attempts until technical details are released.
