Yesterday, Google released a security update to fix a serious zero-day vulnerability in the Chrome web browser. The company reported that attackers actively exploited this vulnerability.
Vulnerability with ID CVE-2023-3079 was discovered in the V8 JavaScript engine and relates to the Type Confusion bug. A researcher from the Google TAG Threat Analysis Group reported the problem on June 1 this year.
According to NIST, the V8 input vulnerability in Google Chrome prior to version 114.0.5735.110 allowed a remote attacker to potentially inflict Heap Corruption through a generated HTML page.
Google, as usual, does not disclose details about the nature of the attacks, but notes that the CVE-2023-3079 vulnerability is already being exploited by attackers in the wild (ITW).
Since the beginning of this year, Google developers have patched three actively exploited zero-day vulnerabilities in Chrome. In addition to the aforementioned new vulnerability, two previous ones should be mentioned:
- CVE-2023-2033 (CVSS score: 8.8) – “Type Confusion” in V8.
- CVE-2023-2136 (CVSS score: 9.6) – “Integer Overflow” in Skia.
For security reasons, all users are advised to update Chrome to version 114.0.5735.110 for Windows and 114.0.5735.106 for macOS and Linux as soon as possible, notes NIXSolutions. Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also encouraged to install security patches as they are released.