Governance & Risk Management , Patch Management

Google Fixes Actively Exploited Chrome Zero-Day

Tight-Lipped Silicon Valley Giant Unusually Direct About Risk
Google Fixes Actively Exploited Chrome Zero-Day
Image: Shutterstock

Google patched a zero-day vulnerability in Chrome, warning consumers that the vulnerability is under active exploitation.

See Also: 10 Belt-Tightening Tips for CISOs to Weather the Downturn

The Silicon Valley giant revealed little Monday in a Chrome advisory about the vulnerability, tracked as CVE-2023-3079, other than saying it is a type confusion flaw in its V8 JavaScript rendering engine.

Microsoft said it is aware of the zero-day and is developing a patch. The company's Edge browser is based on the same underlying code as Chrome, which Google makes available as part of its Chromium Project.

Chrome is the world's dominant web browser, holding a market share of roughly two-thirds of all browsers. Edge has an overall market share of roughly 4%.

Google is unusually direct about the risk, wrote Sophos' Paul Ducklin.

"There's no 'two-degrees-of-separation verbiage, as we've often seen from Google before, to say that the company 'is aware of reports' of an exploit. This time, it’s 'we are aware of it all by ourselves', which translates even more bluntly into 'we know that crooks are abusing this as we speak,'" he said.

Still, Google said it reserves the right to withhold details about the nature of the vulnerability until a majority of Chrome users have applied the patch. "We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven’t yet fixed."

Type confusion occurs in programming languages including C++, which is the V8 language, when an application passes to memory unexpected data. Mitre said type confusion is often associated with the union declaration, which allows C language programmers to assign different variable types to the same memory location. Its exploitation in languages without memory safe, such as C++, " can lead to out-of-bounds memory access."

This patch marks the second time in months that Google has patched a V8 zero-day. It did so in April, in a vulnerability traced as CVE-2023-2033. It's also the third zero-day patch within the same time frame, since Google in April patched a vulnerability tracked as CVE-2023-2136 in Skia, a Google-owned open-source 2D graphics library also written in C++.


About the Author

David Perera

David Perera

Editorial Director, News, ISMG

Perera is editorial director for news at Information Security Media Group. He previously covered privacy and data security for outlets including MLex and Politico.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.asia, you agree to our use of cookies.