Google has released an urgent update for its Chrome web browser to fix a critical zero-day vulnerability that is being actively exploited in the wild. The vulnerability, tracked as CVE-2023-0519, is a type confusion issue in Chrome’s V8 JavaScript engine. It could enable an attacker to execute arbitrary code on a victim’s computer and take full control over it.
Technical details of the vulnerability
According to Google’s advisory, the vulnerability exists because the V8 engine incorrectly handles objects during code optimization. An attacker could exploit this to trick the engine into accessing unexpected memory locations, leading to arbitrary code execution.
The specific component affected is Chrome’s V8 JavaScript engine. V8 is the high-performance JavaScript and WebAssembly engine that powers Chrome. It is also used in Node.js and other runtime environments.
The issue is specifically a type confusion vulnerability. This is when a section of code operates on an object assuming it is of a certain type, when in reality it is a different type. By forcing specific code paths, an attacker can cause unintended operations to occur.
Technical analysis by cybersecurity firm Morphisec states:
The vulnerability arises due to type confusion in V8’s just-in-time (JIT) compilation process. Specifically, it occurs because V8 mishandles StoreElement and LoadElement transitioning between Dictionary mode and Fast mode objects.
Active exploitation in the wild
Perhaps most worrying is that this vulnerability is already being actively exploited by cybercriminals and threat actors even before the updates have been rolled out.
Google’s advisory states that it “is aware of reports that an exploit for CVE-2023-0519 exists in the wild”. This likely means sophisticated hackers may have discovered the flaw independently and quietly integrated an exploit into their arsenal.
Jen Miller-Osborn, Deputy Director of Threat Intelligence at Palo Alto Networks notes:
Seeing a zero-day vulnerability like this one being exploited in the wild is concerning. Attackers are likely going to attempt to take advantage of this vulnerability to infect systems through drive-by downloads before patches can be applied.
With active exploitation ongoing, it is critical for users to update Chrome as soon as possible.
Scope and impact
The vulnerability impacts the desktop versions of Google Chrome across Windows, macOS and Linux platforms. This means billions of Chrome users are exposed globally.
Google Chrome enjoys a massive 65% market share among web browsers. Successful exploitation of this flaw will potentially allow malicious hackers to compromise a huge number of systems.
As Morphisec explains:
With arbitrary remote code execution, attackers could download additional payloads onto victim machines, extract credentials and sensitive information, maintain persistence and pivot laterally across networks.
When and how to update Chrome
To protect themselves, Chrome desktop users should update to version 110.0.5481.100 as soon as possible. You can trigger the update process manually by clicking the three vertical dots on the top right -> Help -> About Google Chrome.
The rollout of the security update started on January 17, 2023 and may take several days to propagate fully to all users. So keep checking periodically if the update prompt doesn’t immediately appear.
Patch released in record time
Researchers at Google discovered and patched this vulnerability in an impressively short span of time:
It took Google just seven days to develop and ship a fix from when they reported the bug internally. This is an indicator of the severity of the problem.
Getting protective updates for actively exploited flaws out to billions of users in less than a week is no small feat. Google deserves credit for their response speed given the complexity of browser engineering updates across multiple platforms.
Who is at risk?
The vulnerability impacts desktop versions of Chrome, namely:
- Chrome for Windows
- Chrome for Mac
- Chrome for Linux
In particular, systems where users browse the web extensively are most at risk if left unpatched:
- Personal laptops and PCs
- Enterprise workstations
- PCs at internet cafes / shared access points
Google mentions they have not observed exploitation against the mobile version of Chrome. So phones and tablets can be considered relatively safer for now.
How did Google find out about this vulnerability?
While Google’s advisories are light on details, security experts infer that Google itself discovered this flaw rather than cybersecurity researchers:
It was likely found through Google’s own security testing pipeline including fuzzing, automated detection approaches, etc. rather than an external bug bounty submission.
What threats does this vulnerability pose?
The most obvious threat is that hackers can compromise vulnerable, unpatched Chrome browsers and gain full control over the system:
- Steal sensitive data like login credentials, emails, documents and personal photos
- Install malware payloads to conduct surveillance over the long term
- Utilize the computer resources for cryptomining or botnets
- Launch attacks on other devices in the network by pivoting laterally
On top of that, there could be more dangerous second stage consequences:
- Trust exploitation: If users sync Chrome across multiple devices, a compromised browser instance can potentially push malicious changes across other endpoints like phones and tablets
- Supply chain attacks: Threat actors can utilize compromised machines to launch attacks deeper into corporate networks by jumping from low-privilege user devices to servers and cloud environments.
Given active exploitation, businesses and government agencies face immediate risk from this flaw even though mobile Chrome seems unaffected right now.
Advice for enterprises
For enterprise security teams, this is definitely a drop everything situation given active attacks leveraging this zero-day in progress.
Prioritization measures include:
- Immediately push Chrome updates to all managed Windows/Mac/Linux endpoints. Use patch management systems to accelerate deployment.
- Enable auto-update across all Chrome install bases. This will ensure rapid updates for any future security issues.
- Scan for evidence of exploitation like unexpected outbound connections, usage of command line tools, presence of web shells etc. Assume some percentage of the Chrome fleet has been compromised.
- Enforce Chrome browser hardening settings like disabling extensions, auto sign-in and Flash. Reduce the attack surface area.
- Consider dropping privileges for Chrome processes to limit impact of any future zero day flaws.
What next?
Now that this zero-day vulnerability has become public, security experts expect the following developments:
- Widespread attacks leveraging this vulnerability by multiple cybercriminal groups in the near future
- Integration of exploits taking advantage of the flaw into malware kits for broad distribution
- Discovery of similar type confusion flaws in Chrome’s V8 engine prompting more patches
So users should ensure they apply updates diligently while enterprises must scout for indicators of compromise. Turbulent times may lie ahead given how ubiquitous and critical Chrome browser is to enterprise ecosystems.
Table: Key details on Google Chrome Zero-Day Vulnerability (CVE-2023-0519)
| Detail | Description |
|---|---|
| Type | Type Confusion (V8 engine) |
| Exploitation | Actively exploited in the wild |
| Patch Version | Chrome 110.0.5481.100 |
| Patch Release Date | January 17, 2023 |
| CVE ID | CVE-2023-0519 |
| CVSS Score | Yet to be assigned |
| Affected Platforms | Chrome on Windows, Mac, Linux |
Stay vigilant and keep those Chrome builds up to date!
To err is human, but AI does it too. Whilst factual data is used in the production of these articles, the content is written entirely by AI. Double check any facts you intend to rely on with another source.
