Chrome
Another day – another browser vulnerability discovered! Indeed, the number of dangerous security holes has doubled within a week! Only recently we highlighted the urgent need to update iOS and macOS due to a major bug in Apple WebKit (the engine inside Safari and other browsers in iOS). And now, due to a similar threat in terms of exploitability, you need to update other browsers too. This time the focus of attention is Google Chrome and related browsers (and not only browsers, but let’s not get ahead of ourselves).
Vulnerabilities in the V8 engine
The vulnerability CVE-2023-2033 has been found in the V8 engine. This engine is used for processing JavaScript. It was found by the same researcher at Google’s Threat Analysis Group (TAG) who had a hand in the discovery of the iOS and macOS vulnerabilities described in our previous post.
Since it’s standard Google policy not to release details about a vulnerability until most users have updated their browsers, there are no specifics yet about this security hole. What we do know, however, is that an exploit for this vulnerability already exists.
For successful exploitation, attackers need to lure victims to a specially crafted malicious web page. That enables them to run arbitrary code on the target computer. Like the previously found vulnerability in Safari WebKit, this hole facilitates zero-click attacks. In other words, cybercriminals can infect a device without any active actions on the user’s part — just getting the victim to visit a dangerous site is enough.
The vulnerability is known to exist at the very least in the desktop versions of all browsers based on Chromium, which means not only Google Chrome itself, but also Microsoft Edge, Opera, Yandex Browser, Vivaldi, Brave, and many others. It likely affects Electron-based applications, too. As we wrote not so long ago, such programs are essentially web pages opened in the Chromium browser built into the application.
How to protect yourself
To neutralize the threat of CVE-2023-2033 on your computer, update all Chromium-based browsers installed on it right away. See our detailed post with an explanation of how to do this in Google Chrome. But to cut to the chase:
- Update Google Chrome to version 112.0.5615.121.
The security hole we describe is fixed in Google Chrome version 112.0.5615.121
- Patch the vulnerability in other Chromium-based applications, too: you can find a patch to update Microsoft Edge to version 112.0.1722.48 here, while the Vivaldi and Brave websites already have patches for these browsers.
- Always restart the browser after updating; otherwise the update won’t take effect.
- Update all Electron-based applications as well (patches for them will likely appear a while later).
And of course, be sure to protect all your devices with a reliable antivirus that safeguards against new vulnerabilities that are already being exploited but haven’t been fixed yet.
