Prepare to Patch: New Zero-Day Targets Google Chrome Users

pcmag.com:

Time to patch: Google has uncovered hackers exploiting a new vulnerability in the Chrome browser and rated the threat as “high.”

The zero-day vulnerability, dubbed CVE-2023-3079, involves a previously unknown flaw in Chrome’s code, meaning users running unpatched versions of the browser are at risk of compromise. “Google is aware that an exploit for CVE-2023-3079 exists in the wild,” the company warned in a blog post(Opens in a new window).

So far, Google hasn’t revealed much about the flaw. But Clément Lecigne, a researcher with the company’s Threat Analysis Group, discovered the threat on June 1, which resulted in Google rolling out an emergency patch.  

For now, Google has only said CVE-2023-3079 pertains to a “type confusion” vulnerability in the V8 JavaScript engine for Chrome and other Chromium-based browsers, which would include Microsoft’s Edge and Brave. The problem means the V8 engine contains a programming bug  where it’ll neglect to verify a resource, creating a way to access other processes in the program that should normally be restricted. This suggests a hacker could use some JavaScript code, perhaps embedded in a website, to trigger CVE-2023-3079 to execute a malicious function. 

The flaw is the third zero-day exploit Google has uncovered this year targeting Chrome users. Two others were reported in April, including another type confusion flaw with the V8 engine. 

Google has rolled out the patches through Chrome version 114.0.5735.106 for Macs and Linux, and then version 114.0.5735.110 for Windows. Microsoft also says(Opens in a new window) it's aware of the vulnerability and working on a patch for Edge. "While we get the security fix rolled out, it is worth highlighting that Microsoft Edge's enhanced