Google on Friday released out-of-band updates to resolve an actively exploited zero-day flaw in its Chrome web browser, making it the first such bug to be addressed since the beginning of the year.
Tracked as CVE-2023-2033high severity vulnerability is described as a kind of confusing issue in the V8 JavaScript engine. Clement Lecigne of Google’s Threat Analysis Group (TAG) was credited with reporting the issue on April 11, 2023.
“Type confusion in V8 in Google Chrome before 112.0.5615.121 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page,” according in NIST’s National Vulnerability Database (NVD).
The tech giant recognized that “an exploit for CVE-2023-2033 exists in the wild,” but stopped short of sharing additional technical details or indicators of compromise (IoCs) to prevent further exploitation by threat actors.
CVE-2023-2033 also appears to have similarities to CVE-2022-1096, CVE-2022-1364, CVE-2022-3723, and CVE-2022-4262 – four other actively exploited type confusion flaws with the V8 fixed by Google in 2022.
Master the Art of Dark Web Intelligence Gathering
Learn the art of extracting threat intelligence from the dark web – Join this expert-led webinar!
Google shut down a total of nine zero days on Chrome last year. The development comes days after Citizen Lab and Microsoft disclosed the exploitation of a now-covered flaw in Apple iOS by customers of an obscure spyware vendor named QuaDream to target journalists, opposition figures in politics, and an NGO worker in 2021.
Users are recommended to upgrade to version 112.0.5615.121 for Windows, macOS, and Linux to mitigate potential threats. Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply fixes when they become available.
