Drop Everything: Update Chrome NOW — 0-Day Exploit in Wild

Drop everythingChrome’s “V8” JavaScript engine has high-severity vuln. Scrotes already exploiting it.

Google is warning that you should update Chrome ASAP. CVE-2023-2033 is a nasty zero-day that needed Google to rush out an emergency patch.

No news on the nature of the bug, other than a terse “type confusion” description. In today’s SB Blogwatch, we head for the hamburger.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Animal dump.

It’s Help|About Time

What’s the craic? Sergiu Gatlan reports—“Google Chrome emergency update”:

Chrome users should upgrade to version 112.0.5615.121 as soon as possible … on Windows, Mac, and Linux systems … from the Chrome menu > Help > About Google Chrome. … The new version is rolling out to users in the Stable Desktop channel, and it will reach the entire user base over the coming days.

The high-severity zero-day vulnerability (CVE-2023-2033) is due to a high-severity type confusion weakness in the Chrome V8 JavaScript engine. … Although type confusion flaws would generally allow attackers to trigger browser crashes … threat actors can also exploit them for arbitrary code execution on compromised devices.

When should we update? Brandon Vigliarolo clarifies the ideal timeline—“Update now”:

As soon as possible
CVE-2023-2033 can be exploited … to run arbitrary code. … Thus, surfing to a bad website … could lead to your device being hijacked. Exploit code for this hole is said to be circulating, and may well be in use already by miscreants.

112.0.5615.121 … should be installed as soon as possible, either automatically or manually. … Full details on how exactly the bug could be or was exploited have not yet been released. [It’s] the first zero-day in Chrome squashed … this year.

Horse’s mouth? Srinivas Sista says—“Update for Desktop”:

High CVE-2023-2033: Type Confusion in V8. Reported by Clément Lecigne of Google’s Threat Analysis Group on [April 11]. … An exploit for CVE-2023-2033 exists in the wild.

But don’t be confused by fake updates. Rintaro Koike, Ryu Hiyoshi and Hisayo Enomoto are lost in translation—“Attack Campaign that Uses Fake Google Chrome Error to Distribute Malware”:

Monero miner
Our SOC has observed an attack campaign distributing malware from a web page disguised as a Google Chrome error message. … The attacks have been confirmed in a very wide area, so close attention is required. … Many websites … have been compromised.

JavaScript code is executed to download a ZIP file. The name of the ZIP file starts with “chromium-patch-nightly” and it’s disguised as a Chrome update patch. … An EXE file included in the ZIP file is a Monero miner.

Just Google Chrome? mkse wondered about Edge:

I asked Bing Chat … if Microsoft Edge was impacted as well, since it is Chromium based. It gave me the following response:

Is Microsoft Edge impacted by CVE-2023-2033?
Searching for: Microsoft Edge CVE-2023-2033
Generating answers for you
Yes, Microsoft Edge is impacted by CVE-2023-2033. CVE-2023-2033 is a high-severity type confusion weakness in the Chrome V8 JavaScript engine that impacts all Chromium-based browsers including Microsoft Edge.

But if you’re still on Windows 7 or 8, you’re SOL. rolph is incensed:

No amount of prompt zero day mitigation will correct the problem of denying updates to users that refuse to install an insecure operating system. A web browser has no business demanding w11 installs in exchange for updates.

Huh? The appropriately named Version 1.0 puts it another way:

Goodbye Chrome. … “Older versions of Chrome will continue to work, but there will be no further updates released for users on these operating systems. If you are currently on Windows 7 and Windows 8/8.1, we encourage you to move to a supported Windows version to ensure you continue to receive the latest security updates and Chrome features.”

So if you are using Chrome on an old computer then you need to either throw it in the trash can and buy a new computer — or uninstall Chrome.

Uninstall Chrome—and then what? And then heed xack:

So if you’re still using Windows 7, uninstall Chrome and use Firefox—as it is the only mainstream browser to support Windows 7 (and 8.1). Of course, you really shouldn’t be connecting Windows 7 boxes to the internet anymore so only do this if you physically can’t use a different OS.

And Finally:

Old skool fauna

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: Natallia Nagorniak (via Unsplash; leveled and cropped)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 603 posts and counting.See all posts by richi