Google has released an emergency security update for its Chrome browser in response to the first zero-day vulnerability exploited in attacks since the start of the year. Identified as CVE-2023-2033, the exploit is being actively used in the wild, according to a security advisory published by the company on Friday.
The new update is being rolled out to users in the Stable Desktop channel and is expected to reach the entire user base in the coming days or weeks. To protect their systems, Chrome users should upgrade to version 112.0.5615.121, which addresses the CVE-2023-2033 vulnerability on Windows, Mac, and Linux platforms.
The update can be accessed from the Chrome menu by navigating to Help > About Google Chrome. Chrome will also automatically check for new updates and install them without user interaction, requiring only a restart.
The high-severity zero-day vulnerability (CVE-2023-2033) is due to a type confusion weakness in Chrome’s V8 JavaScript engine. The bug was reported by Clement Lecigne from Google’s Threat Analysis Group (TAG), which focuses on defending Google customers against state-sponsored cyberattacks.
Google TAG frequently uncovers and reports zero-day vulnerabilities exploited by government-backed threat actors in targeted attacks. These actors often seek to install spyware on devices belonging to high-risk individuals such as journalists, opposition politicians, and dissidents around the world.
Typically, type confusion flaws enable attackers to cause browser crashes by reading or writing memory out of buffer bounds. However, threat actors can also exploit these vulnerabilities to execute arbitrary code on compromised devices.
Google has not yet disclosed further information regarding the attacks involving the CVE-2023-2033 zero-day exploit. The company stated that it may restrict access to bug details and links until a majority of users have updated their browsers with a fix. Google also plans to retain restrictions if the bug exists in a third-party library that other projects depend on but have not yet addressed.
By urging users to update their browsers promptly, Google aims to block attack attempts and minimize the risk of more threat actors developing their own exploits once technical details are released.