Google Chrome, the most widely used web browser, faces a type confusion vulnerability (CVE-2023-2033). Google has addressed the vulnerability with the latest version of Chrome. Clement Lecigne of Google’s Threat Analysis Group has reported this vulnerability.
Google has mentioned in the advisory that they are aware of active exploitation of this vulnerability in the wild. CVE-2023-2033 is the first zero-day vulnerability in the Chrome browser addressed by Google.
CISA has added the CVE-2023-2033 to its Known Exploitable Vulnerabilities Catalog and requested users to patch the vulnerabilities before May 8th, 2023.
CVE-2023-2033 is a type confusion vulnerability in the v8 JavaScript engine that can cause security breaches. A type confusion flaw occurs when a program allocates or initializes a resource, such as a pointer, object, or variable, using one kind of method but later accesses that resource using a different method which is incompatible with the original type, allowing an out-of-bounds memory access. A remote attacker may execute arbitrary code or cause a denial of service on the system by convincing a user to go to a specially designed website.
Affected versions
Google Chrome versions before 112.0.5615.121 are affected by this vulnerability.
Mitigation
Customers are requested to upgrade to the latest stable channel version, 112.0.5615.121, for Windows, Mac, and Linux. For more information, please refer to the Google Chrome security page.
Microsoft has released the Microsoft Edge Stable Channel (Version 112.0.1722.48) to address CVE-2023-2033, which the Chromium team has reported as being exploited in the wild.
Qualys Detection
Qualys customers can scan their devices with QIDs 378417 and 378418 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://chromereleases.googleblog.com/2023/04/stable-channel-update-for-desktop_14.html
https://docs.microsoft.com/en-us/deployedge/microsoft-edge-relnotes-security#april-14-2023