In a recent security advisory, Google says it patched a high-severity zero-day security flaw in its Chrome browser—the first in 2023—currently being exploited in the wild by threat actors. The company urges all its Windows, Mac, and Linux users to update to version 112.0.5615.121 immediately, as this flaw is present in Chrome versions before this one. Updating your browser can be done manually or automatically.
If you use other Chromium-based browsers, you may need to update them as well.
The vulnerability, tracked as CVE-2023-2033, is exploitable when a user visits a malicious webpage using an unpatched Chrome browser. The page could run arbitrary code in the browser, potentially leading to your computing device being hijacked. Google knows an exploit code for this flaw already exists and is circulating in the wild.
CVE-2023-2033 is a type-confusion bug in V8, Google's open-source JavaScript and WebAssembly engine. As with zero-day patch announcements, the company supplied little to no details on how attackers could exploit this flaw. However, we know that attacks on V8, although uncommon, are considered one of the most dangerous. Exploiting a weakness in V8 typically leads to a browser crashing.
"Access to bug details and links may be kept restricted until a majority of users are updated with a fix," says Google in the advisory. "We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed."
Google is giving all its Chrome users enough time to update to the latest version until technical details are released.
How to manually update Chrome
Google Chrome typically updates automatically. However, it's worth double checking. To check if your browser is up to date:
- Click the three vertical dots at the upper right-hand side of the URL bar.
- Select Help > About Google Chrome.
Simply doing this should trigger Chrome to update. Once done, the browser will ask you to relaunch. Click the button to confirm and complete the update process.
Google would never let users manually download and install a separate file to update Chrome. Scammers and threat actors have used this tactic many times in the past, and, for a time, it worked. Now and then, this tactic is adopted in a malicious campaign, to catch those who aren't familiar with how Chrome works or how Google updates its products.
Stay safe!
Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.