The Google Chrome 114 security update patches critical flaws, including a third zero-day vulnerability

Google has released Chrome 114, a security update that patches a critical zero-day vulnerability that the company’s Threat Analysis Group discovered and which was exploited in the wild. The latest version of Chrome also includes a patch for another vulnerability. The security update is a timely response to an ongoing threat and the company has warned users to update their Chrome browser as soon as possible.

Chrome 114 Security Update

The new Chrome 114 update for Windows, Mac, and Linux patches two flaws, including CVE-2023-3079, a type confusion issue affecting the V8 JavaScript engine. In a blog post, Google explained that “Google is aware of reports that an exploit for CVE-2023-3079 exists in the wild.” This zero-day vulnerability, which was discovered by Clement Lecigne of Google’s Threat Analysis Group on June 1, has been actively exploited by attackers.

Patches Two Flaws

Google has not shared any information about the second flaw patched in Chrome 114. Considering the nature of the first patch, it’s likely that the second flaw is also a severe vulnerability. The company has urged all Chrome users to update their browser to the newly released version to protect their systems.

Type Confusion Issue Affects V8 JavaScript Engine

The CVE-2023-3079 vulnerability that Chrome version 114 has fixed is a “use-after-free” type confusion issue affecting the V8 JavaScript engine. This vulnerability enables attackers to execute arbitrary code and gain control of an affected system. It is a severe vulnerability that can be exploited remotely and is considered a high-risk flaw.

Exploitation of CVE-2023-3079 in the wild

Google has confirmed that the CVE-2023-3079 vulnerability, which was patched in Chrome 114, was already under attack. An exploit for this flaw existed in the wild, which means cybercriminals have been using it to compromise systems. The company has not shared any information on the attacks or the actors behind them.

Google has not shared information on the attacks

Google’s Threat Analysis Group is responsible for identifying threats and vulnerabilities before they are exploited by threat actors. However, they have not shared any information about who is behind the attacks or the companies that have been targeted due to the sensitive nature of these investigations and the potential harm it could cause to users and stakeholders.

Discovered by Clement Lecigne of Google’s Threat Analysis Group

Clement Lecigne is a researcher at Google’s Threat Analysis Group. He discovered the CVE-2023-3079 vulnerability on June 1 and immediately reported it to Google’s security team. Google’s security team analyzed the bug and issued a patch within a month. This swift response highlights the importance of such groups in cybersecurity.

Commercial spyware vendors may have exploited CVE-2023-3079

The fact that Google’s Threat Analysis Group discovered CVE-2023-3079 suggests that it has likely been exploited by a commercial spyware vendor for their products. These vendors offer lawful surveillance tools for government agencies, but their products can also be used for malicious activities.

Google’s blog posts on spyware vendors and lawful surveillance

Google has been vocal about the use of spyware vendors as a means to carry out surveillance activities on individuals. In blog posts, the company has highlighted the techniques these companies use and the vulnerabilities in Chrome they exploit to target Android devices. Such posts are designed to raise awareness of the potential risks posed by spyware vendors and the need to take measures to protect against them.

Chrome Vulnerabilities Used by Spyware Vendors to Target Android Devices

Chrome vulnerabilities are often used by spyware vendors as part of their exploit chains to target Android devices. These complex chains are designed to take advantage of multiple bugs and vulnerabilities in a system to ultimately gain control of target devices. By using Chrome vulnerabilities, spyware vendors can potentially compromise a massive number of devices and gain unauthorized access to sensitive data.

Google’s $180,000 Bug Bounty Program for a Full Chain Exploit

Google announced that it will temporarily offer up to $180,000 through its bug bounty program for a full chain exploit that leads to a sandbox escape in Chrome. This demonstrates the company’s commitment to identifying and eliminating security vulnerabilities in its products. It also incentivizes security researchers to identify and report such vulnerabilities.

Totalitarian regimes’ abuse of spyware vendor solutions to spy on critics

Unfortunately, totalitarian regimes have often taken advantage of spyware vendor solutions to spy on critics or opposition groups. By exploiting Chrome vulnerabilities, these regimes can identify and target individuals, even if they use encrypted communication channels. This highlights the need for regulation and transparency in the commercial spyware market to prevent the misuse of surveillance tools.

Google’s 2022 Patch for Nine Chrome Zero-Days

In 2022, Google patched nine Chrome zero-day vulnerabilities, five of which were discovered by its Threat Analysis Group. These patches demonstrate the company’s commitment to identifying and addressing security vulnerabilities in its products. It also shows the continued efforts of its security team to stay ahead of cybercriminals and threat actors.

The timely release of Chrome 114 is a testament to Google’s commitment to providing secure software products. With its bug bounty program and dedicated security team, Google continues to identify and patch vulnerabilities in its products. This is crucial for maintaining the integrity of the internet and protecting users from malicious attacks. By incentivizing security researchers to report vulnerabilities, Google is helping to build a safer online ecosystem for all users.

Explore more

Apple iPhone 18 Leak Reveals RAM Upgrades for Advanced AI

Dominic Jainy brings a wealth of knowledge to the table regarding the hardware-software symbiosis required for modern artificial intelligence. As an IT professional deeply embedded in the evolution of silicon architecture and machine learning, he offers a unique perspective on why seemingly incremental hardware shifts often dictate the entire user experience. This discussion explores the technical nuances of Apple’s transition

Why Are Investors Choosing Pepeto Over Stagnant Ethereum?

The global cryptocurrency landscape is currently undergoing a fundamental reorganization as capital increasingly migrates from established legacy protocols toward nimble, utility-driven newcomers that offer significant growth potential. For years, Ethereum remained the undisputed leader in smart contract functionality, yet its recent price stagnation has left many market participants searching for more dynamic opportunities. This transition is not merely a product

AI Becomes the Core Infrastructure of Global Banking

The global financial sector has officially moved past the phase of speculative experimentation, cementing artificial intelligence as the definitive architectural foundation upon which all modern banking services now operate. This structural metamorphosis represents a pivot from peripheral innovation toward a state of full-scale operational maturity, where algorithms are no longer viewed as external additions but as the very core of

Will the Vivo X500 Series Set New Flagship Standards?

The swift evolution of mobile technology often leaves consumers wondering if the next major release will truly redefine the experience or simply polish existing features. Currently, the industry looks toward the X500 series as a potential catalyst for change. The pace of innovation has accelerated to a point where a yearly cycle no longer satisfies the hunger for cutting-edge hardware

AI and Supply Chain Risks Reshape the Cyber Threat Landscape

The speed at which a software vulnerability transforms from a quiet discovery into a weaponized global threat has reached a breaking point, redefining the very concept of digital defense. This phenomenon, frequently described as the compression of time, characterizes a modern landscape where the gap between the identification of a flaw and its active exploitation by malicious actors has essentially