1.0 Introduction
Chrome is now used by over three billion users worldwide, but every single one of them needs to update their browser urgently. Google’s Threat Analysis Group discovered vulnerability, CVE-2023-2033, stems from a “Type Confusion in V8”. Type confusion in V8 in Google Chrome prior to 112.0.5615.121 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. This occurs when a program uses one method to allocate or initialize a resource but an incompatible method then access that resource, potentially providing unsecured access to the browser’s memory.
2.0 Impact
Allow attackers to trigger browser crashes after successful exploitation by reading or writing memory out of buffer bounds, threat actors can also exploit them for arbitrary code execution on compromised devices.
3.0 Affected System and Devices
Chrome version below 112.0.15615.121 on Windows, Mac and Linux.
4.0 Recommendations
MyCERT encourages users and administrators to review Google’s security updates and apply necessary updates.
To do immediate update, click the overflow menu bar (three vertical dots) in the browser’s top right corner, then Help > About Google Chrome. This will force Chrome to check for browser updates. Once the update is complete, you must restart the browser to be fully protected.
Kindly refer to the following URLs:
https://www.google.com/chrome/update/
https://chromereleases.googleblog.com/2023/04/stable-channel-update-for-desktop_14.html
(The new version of Google Chrome is available in the Stable Desktop Channel).
Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.
For further enquiries, please contact MyCERT through the following channels:
E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
Business Hours: Mon - Fri 09:00 -18:00 MYT
Web: https://www.mycert.org.my
Twitter: https://twitter.com/mycert
Facebook: https://www.facebook.com/mycert.org.my
5.0 References
- https://www.forbes.com/sites/gordonkelly/2023/04/15/google-chrome-browser-zero-day-vulnerability-critical-chrome-update/?sh=564c310759ae
- https://www.bleepingcomputer.com/news/security/google-chrome-emergency-update-fixes-first-zero-day-of-2023/
- https://nvd.nist.gov/vuln/detail/CVE-2023-2033
- https://chromereleases.googleblog.com/2023/04/stable-channel-update-for-desktop_14.html
- https://www.google.com/chrome/update/
- https://support.google.com/chrome/answer/95414?hl=en&co=GENIE.Platform%3DDesktop