Serious Google Chrome security issue — update now
Google has rolled out a security patch to fix a high-severity vulnerability in its Chrome web browser for desktops, which has been actively exploited.
The CVE-2023-2033 vulnerability was reported by Google Threat Analysis Group’s Clément Lecigne on 11 April 2023.
In a blog post on Friday, 14 April 2023, Google explained it was a “type confusion” bug in the JavaScript engine used by Chromium-based browsers on the V8 Javascript engine.
In simple terms, where a program allocates or initialises a resource such as a pointer, object, or variable using one type, the type confusion allows it to access the resource using a type that is incompatible with the original type.
For example, under certain circumstances, JavaScript automatically tries to convert an array into a character string when performing specific comparisons.
This enables attackers to perform out-of-bounds memory reading and writing, which could give them access to sensitive information on the browser or cause it to crash.
The description of the CVE said the bug allowed a remote attacker to potentially exploit heap corruption through a specially-crafted HTML page.
Google said that access to further bug details and links might be restricted until most users received the fix.
While Chrome typically performs updates automatically, it is advisable to check what version you are running and manually update in case you have not yet received the patch.
To do this, click on the three-dot (“kebab”) menu near the top right corner of the Chrome window, select “Settings”, and then open the “About Chrome” section at the bottom of the settings categories.
The version number for the Chrome browser with the patch is 112.0.5615.121. If this is not the version you are seeing, hit the update button to install the patch.
Google Chrome is the world’s most popular desktop Internet browser, with 64.8% market share as of March 2023, according to GlobalStats Statcounter.
While Google has not published its exact user numbers in a while, AtlasVPN estimated the figure stood at about 3.38 billion as of May 2022.