Google released security updates to address a zero-day vulnerability in the widely used web browser Chrome. Google has given CVE-2023-3079 a high severity rating. The vulnerability was discovered by Clément Lecigne of Google’s Threat Analysis Group. Google is aware of the active exploitation of the vulnerability.
The advisory provides no information regarding the other vulnerability patched with the latest update.
CISA has added this critical vulnerability to its Known Exploited Vulnerabilities Catalog, requesting users to patch it before 28th June 2023.
CVE-2023-3079 is a Type Confusion vulnerability in Google Chrome’s JavaScript Engine V8. A Type Confusion flaw occurs when a program allocates or initializes a resource using one kind of method, such as a pointer, object, or variable. Still, it later accesses that resource in a different way that is incompatible with the original type. This causes out-of-bounds memory access. A remote attacker may execute arbitrary code or bring about a denial of service on the system by convincing a user to go to a specially crafted website.
Affected versions
Google Chrome versions prior to 114.0.5735.106 and 114.0.5735.110 are affected by this vulnerability.
Mitigation
Customers are requested to upgrade to the latest stable channel version, 114.0.5735.106 for Mac and Linux and 114.0.5735.110 for Windows. For more information, please refer to the Google Chrome security page.
Microsoft has released the Microsoft Edge Stable Channel Version 114.0.1823.41 to address CVE-2023-3079, which the Chromium team has reported as being exploited in the wild.
Qualys Detection
Qualys customers can scan their devices with QIDs 378549 and 378557 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://chromereleases.googleblog.com/2023/06/stable-channel-update-for-desktop.html