Governance & Risk Management , Patch Management
Google Fixes Actively Exploited Chrome Zero-Day
Tight-Lipped Silicon Valley Giant Unusually Direct About RiskGoogle patched a zero-day vulnerability in Chrome, warning consumers that the vulnerability is under active exploitation.
See Also: Finding and Managing the Risk in your IT Estate: A Comprehensive Overview
The Silicon Valley giant revealed little Monday in a Chrome advisory about the vulnerability, tracked as CVE-2023-3079, other than saying it is a type confusion flaw in its V8 JavaScript rendering engine.
Microsoft said it is aware of the zero-day and is developing a patch. The company's Edge browser is based on the same underlying code as Chrome, which Google makes available as part of its Chromium Project.
Chrome is the world's dominant web browser, holding a market share of roughly two-thirds of all browsers. Edge has an overall market share of roughly 4%.
Google is unusually direct about the risk, wrote Sophos' Paul Ducklin.
"There's no 'two-degrees-of-separation verbiage, as we've often seen from Google before, to say that the company 'is aware of reports' of an exploit. This time, it’s 'we are aware of it all by ourselves', which translates even more bluntly into 'we know that crooks are abusing this as we speak,'" he said.
Still, Google said it reserves the right to withhold details about the nature of the vulnerability until a majority of Chrome users have applied the patch. "We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven’t yet fixed."
Type confusion occurs in programming languages including C++, which is the V8 language, when an application passes to memory unexpected data. Mitre said type confusion is often associated with the union
declaration, which allows C language programmers to assign different variable types to the same memory location. Its exploitation in languages without memory safe, such as C++, " can lead to out-of-bounds memory access."
This patch marks the second time in months that Google has patched a V8 zero-day. It did so in April, in a vulnerability traced as CVE-2023-2033. It's also the third zero-day patch within the same time frame, since Google in April patched a vulnerability tracked as CVE-2023-2136 in Skia, a Google-owned open-source 2D graphics library also written in C++.