The Google Chrome 114 security update patches critical flaws, including a third zero-day vulnerability

Google has released Chrome 114, a security update that patches a critical zero-day vulnerability that the company’s Threat Analysis Group discovered and which was exploited in the wild. The latest version of Chrome also includes a patch for another vulnerability. The security update is a timely response to an ongoing threat and the company has warned users to update their Chrome browser as soon as possible.

Chrome 114 Security Update

The new Chrome 114 update for Windows, Mac, and Linux patches two flaws, including CVE-2023-3079, a type confusion issue affecting the V8 JavaScript engine. In a blog post, Google explained that “Google is aware of reports that an exploit for CVE-2023-3079 exists in the wild.” This zero-day vulnerability, which was discovered by Clement Lecigne of Google’s Threat Analysis Group on June 1, has been actively exploited by attackers.

Patches Two Flaws

Google has not shared any information about the second flaw patched in Chrome 114. Considering the nature of the first patch, it’s likely that the second flaw is also a severe vulnerability. The company has urged all Chrome users to update their browser to the newly released version to protect their systems.

Type Confusion Issue Affects V8 JavaScript Engine

The CVE-2023-3079 vulnerability that Chrome version 114 has fixed is a “use-after-free” type confusion issue affecting the V8 JavaScript engine. This vulnerability enables attackers to execute arbitrary code and gain control of an affected system. It is a severe vulnerability that can be exploited remotely and is considered a high-risk flaw.

Exploitation of CVE-2023-3079 in the wild

Google has confirmed that the CVE-2023-3079 vulnerability, which was patched in Chrome 114, was already under attack. An exploit for this flaw existed in the wild, which means cybercriminals have been using it to compromise systems. The company has not shared any information on the attacks or the actors behind them.

Google has not shared information on the attacks

Google’s Threat Analysis Group is responsible for identifying threats and vulnerabilities before they are exploited by threat actors. However, they have not shared any information about who is behind the attacks or the companies that have been targeted due to the sensitive nature of these investigations and the potential harm it could cause to users and stakeholders.

Discovered by Clement Lecigne of Google’s Threat Analysis Group

Clement Lecigne is a researcher at Google’s Threat Analysis Group. He discovered the CVE-2023-3079 vulnerability on June 1 and immediately reported it to Google’s security team. Google’s security team analyzed the bug and issued a patch within a month. This swift response highlights the importance of such groups in cybersecurity.

Commercial spyware vendors may have exploited CVE-2023-3079

The fact that Google’s Threat Analysis Group discovered CVE-2023-3079 suggests that it has likely been exploited by a commercial spyware vendor for their products. These vendors offer lawful surveillance tools for government agencies, but their products can also be used for malicious activities.

Google’s blog posts on spyware vendors and lawful surveillance

Google has been vocal about the use of spyware vendors as a means to carry out surveillance activities on individuals. In blog posts, the company has highlighted the techniques these companies use and the vulnerabilities in Chrome they exploit to target Android devices. Such posts are designed to raise awareness of the potential risks posed by spyware vendors and the need to take measures to protect against them.

Chrome Vulnerabilities Used by Spyware Vendors to Target Android Devices

Chrome vulnerabilities are often used by spyware vendors as part of their exploit chains to target Android devices. These complex chains are designed to take advantage of multiple bugs and vulnerabilities in a system to ultimately gain control of target devices. By using Chrome vulnerabilities, spyware vendors can potentially compromise a massive number of devices and gain unauthorized access to sensitive data.

Google’s $180,000 Bug Bounty Program for a Full Chain Exploit

Google announced that it will temporarily offer up to $180,000 through its bug bounty program for a full chain exploit that leads to a sandbox escape in Chrome. This demonstrates the company’s commitment to identifying and eliminating security vulnerabilities in its products. It also incentivizes security researchers to identify and report such vulnerabilities.

Totalitarian regimes’ abuse of spyware vendor solutions to spy on critics

Unfortunately, totalitarian regimes have often taken advantage of spyware vendor solutions to spy on critics or opposition groups. By exploiting Chrome vulnerabilities, these regimes can identify and target individuals, even if they use encrypted communication channels. This highlights the need for regulation and transparency in the commercial spyware market to prevent the misuse of surveillance tools.

Google’s 2022 Patch for Nine Chrome Zero-Days

In 2022, Google patched nine Chrome zero-day vulnerabilities, five of which were discovered by its Threat Analysis Group. These patches demonstrate the company’s commitment to identifying and addressing security vulnerabilities in its products. It also shows the continued efforts of its security team to stay ahead of cybercriminals and threat actors.

The timely release of Chrome 114 is a testament to Google’s commitment to providing secure software products. With its bug bounty program and dedicated security team, Google continues to identify and patch vulnerabilities in its products. This is crucial for maintaining the integrity of the internet and protecting users from malicious attacks. By incentivizing security researchers to report vulnerabilities, Google is helping to build a safer online ecosystem for all users.

Explore more

AI Revolutionizes Corporate Finance: Enhancing CFO Strategies

Imagine a finance department where decisions are made with unprecedented speed and accuracy, and predictions of market trends are made almost effortlessly. In today’s rapidly changing business landscape, CFOs are facing immense pressure to keep up. These leaders wonder: Can Artificial Intelligence be the game-changer they’ve been waiting for in corporate finance? The unexpected truth is that AI integration is

AI Revolutionizes Risk Management in Financial Trading

In an era characterized by rapid change and volatility, artificial intelligence (AI) emerges as a pivotal tool for redefining risk management practices in financial markets. Financial institutions increasingly turn to AI for its advanced analytical capabilities, offering more precise and effective risk mitigation. This analysis delves into key trends, evaluates current market patterns, and projects the transformative journey AI is

Is AI Transforming or Enhancing Financial Sector Jobs?

Artificial intelligence stands at the forefront of technological innovation, shaping industries far and wide, and the financial sector is no exception to this transformative wave. As AI integrates into finance, it isn’t merely automating tasks or replacing jobs but is reshaping the very structure and nature of work. From asset allocation to compliance, AI’s influence stretches across the industry’s diverse

RPA’s Resilience: Evolving in Automation’s Complex Ecosystem

Ever heard the assertion that certain technologies are on the brink of extinction, only for them to persist against all odds? In the rapidly shifting tech landscape, Robotic Process Automation (RPA) has continually faced similar scrutiny, predicted to be overtaken by shinier, more advanced systems. Yet, here we are, with RPA not just surviving but thriving, cementing its role within

How Is RPA Transforming Business Automation?

In today’s fast-paced business environment, automation has become a pivotal strategy for companies striving for efficiency and innovation. Robotic Process Automation (RPA) has emerged as a key player in this automation revolution, transforming the way businesses operate. RPA’s capability to mimic human actions while interacting with digital systems has positioned it at the forefront of technological advancement. By enabling companies