Update Chrome now! Google patches actively exploited zero-day

Google has released an update which includes two security fixes. One of these security fixes is for a zero-day about which Google says it’s aware that an exploit for this vulnerability exists in the wild.

How to protect yourself

If you’re a Chrome user on Windows, Mac, or Linux, you should update as soon as possible. Android users will also find an update waiting.

The easiest way to update Chrome is to allow it to update automatically, which basically uses the same method as outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong—such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time, given the severity of the vulnerabilities in this batch. My preferred method is to have Chrome open the page chrome://settings/help which you can also find by clicking Settings > About Chrome.

If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete.

screenshot of up to date ChromeChrome is up to date

After the update the version should be 114.0.5735.106 for Mac and Linux, and 114.0.5735.110 for Windows, or later.

Zero day

Google never gives out a lot of information about vulnerabilities, for obvious reasons. Access to bug details and links may be kept restricted until a majority of users are updated with a fix. However, from the update page we can learn a few things.

The vulnerability was reported by Clément Lecigne of Google’s Threat Analysis Group. This could indicate that Google found this vulnerability while researching an active attack, which matches the fact that an exploit for the vulnerability exists in the wild.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVE for the zero-day is:

CVE-2023-3079: a type confusion in V8 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Type confusion vulnerabilities are programming flaws that happen when a piece of code doesn’t verify the type of object that is passed to it before using it. Type confusion can allow an attacker to feed function pointers or data into the wrong piece of code. In some cases, this can lead to code execution.

In other cases, type confusion vulnerability leads to an arbitrary heap write, or heap spray. Heap spraying is a method typically used in exploits that places large amounts of code in a memory location that the attacker expects to be read. Usually, these bits of code point to the start of the actual code that the exploit wants to run in order to compromise the system that is under attack.

At the heart of every modern web browser sits a JavaScript interpreter, a component that does much of the heavy lifting for interactive web apps. In Chrome, that interpreter is V8.

An attacker can exploit this vulnerability by using a specially crafted piece of HyperText Markup Language (HTML). It needs user interaction, which could be easier than it sounds. HTML is the standard markup language for documents designed to be displayed in a web browser and these documents (webpages) can contain JavaScript. Potentially this means that by opening the wrong website, which contains such a specially crafted JavaScript, the browser could be compromised.

Users of other Chromium based browsers, like Edge, should be on the lookout for updates as well, as this one is likely to affect all Chromium based browsers.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.