The Google Chrome 114 security update patches critical flaws, including a third zero-day vulnerability

Google has released Chrome 114, a security update that patches a critical zero-day vulnerability that the company’s Threat Analysis Group discovered and which was exploited in the wild. The latest version of Chrome also includes a patch for another vulnerability. The security update is a timely response to an ongoing threat and the company has warned users to update their Chrome browser as soon as possible.

Chrome 114 Security Update

The new Chrome 114 update for Windows, Mac, and Linux patches two flaws, including CVE-2023-3079, a type confusion issue affecting the V8 JavaScript engine. In a blog post, Google explained that “Google is aware of reports that an exploit for CVE-2023-3079 exists in the wild.” This zero-day vulnerability, which was discovered by Clement Lecigne of Google’s Threat Analysis Group on June 1, has been actively exploited by attackers.

Patches Two Flaws

Google has not shared any information about the second flaw patched in Chrome 114. Considering the nature of the first patch, it’s likely that the second flaw is also a severe vulnerability. The company has urged all Chrome users to update their browser to the newly released version to protect their systems.

Type Confusion Issue Affects V8 JavaScript Engine

The CVE-2023-3079 vulnerability that Chrome version 114 has fixed is a “use-after-free” type confusion issue affecting the V8 JavaScript engine. This vulnerability enables attackers to execute arbitrary code and gain control of an affected system. It is a severe vulnerability that can be exploited remotely and is considered a high-risk flaw.

Exploitation of CVE-2023-3079 in the wild

Google has confirmed that the CVE-2023-3079 vulnerability, which was patched in Chrome 114, was already under attack. An exploit for this flaw existed in the wild, which means cybercriminals have been using it to compromise systems. The company has not shared any information on the attacks or the actors behind them.

Google has not shared information on the attacks

Google’s Threat Analysis Group is responsible for identifying threats and vulnerabilities before they are exploited by threat actors. However, they have not shared any information about who is behind the attacks or the companies that have been targeted due to the sensitive nature of these investigations and the potential harm it could cause to users and stakeholders.

Discovered by Clement Lecigne of Google’s Threat Analysis Group

Clement Lecigne is a researcher at Google’s Threat Analysis Group. He discovered the CVE-2023-3079 vulnerability on June 1 and immediately reported it to Google’s security team. Google’s security team analyzed the bug and issued a patch within a month. This swift response highlights the importance of such groups in cybersecurity.

Commercial spyware vendors may have exploited CVE-2023-3079

The fact that Google’s Threat Analysis Group discovered CVE-2023-3079 suggests that it has likely been exploited by a commercial spyware vendor for their products. These vendors offer lawful surveillance tools for government agencies, but their products can also be used for malicious activities.

Google’s blog posts on spyware vendors and lawful surveillance

Google has been vocal about the use of spyware vendors as a means to carry out surveillance activities on individuals. In blog posts, the company has highlighted the techniques these companies use and the vulnerabilities in Chrome they exploit to target Android devices. Such posts are designed to raise awareness of the potential risks posed by spyware vendors and the need to take measures to protect against them.

Chrome Vulnerabilities Used by Spyware Vendors to Target Android Devices

Chrome vulnerabilities are often used by spyware vendors as part of their exploit chains to target Android devices. These complex chains are designed to take advantage of multiple bugs and vulnerabilities in a system to ultimately gain control of target devices. By using Chrome vulnerabilities, spyware vendors can potentially compromise a massive number of devices and gain unauthorized access to sensitive data.

Google’s $180,000 Bug Bounty Program for a Full Chain Exploit

Google announced that it will temporarily offer up to $180,000 through its bug bounty program for a full chain exploit that leads to a sandbox escape in Chrome. This demonstrates the company’s commitment to identifying and eliminating security vulnerabilities in its products. It also incentivizes security researchers to identify and report such vulnerabilities.

Totalitarian regimes’ abuse of spyware vendor solutions to spy on critics

Unfortunately, totalitarian regimes have often taken advantage of spyware vendor solutions to spy on critics or opposition groups. By exploiting Chrome vulnerabilities, these regimes can identify and target individuals, even if they use encrypted communication channels. This highlights the need for regulation and transparency in the commercial spyware market to prevent the misuse of surveillance tools.

Google’s 2022 Patch for Nine Chrome Zero-Days

In 2022, Google patched nine Chrome zero-day vulnerabilities, five of which were discovered by its Threat Analysis Group. These patches demonstrate the company’s commitment to identifying and addressing security vulnerabilities in its products. It also shows the continued efforts of its security team to stay ahead of cybercriminals and threat actors.

The timely release of Chrome 114 is a testament to Google’s commitment to providing secure software products. With its bug bounty program and dedicated security team, Google continues to identify and patch vulnerabilities in its products. This is crucial for maintaining the integrity of the internet and protecting users from malicious attacks. By incentivizing security researchers to report vulnerabilities, Google is helping to build a safer online ecosystem for all users.

Explore more

Vivo X Fold 6 – Review

The arrival of the Vivo X Fold 6 marks a pivotal moment where foldable devices transcend their status as fragile novelties to become the primary choice for power users. This transition represents a significant advancement in the mobile sector, pushing the boundaries of what a single handset can accomplish. By merging a book-style form factor with the raw performance of

Oppo Reno16 Series – Review

The modern smartphone market has reached a peculiar crossroads where the distinction between mid-range utility and flagship luxury is no longer defined by features but by the audacity of a manufacturer’s pricing strategy. Traditional product cycles often prioritize incremental updates, but this latest iteration signals a departure from conservative engineering. By integrating components usually reserved for the highest echelon of

AI Adoption Fails Without Proper Workforce Readiness

Ling-yi Tsai is a formidable force in the HRTech sector, possessing decades of experience guiding global organizations through the complex labyrinth of digital evolution. Her mastery of HR analytics and her tactical approach to integrating technology across recruitment and talent management have made her a sought-after advisor for companies looking to bridge the gap between human potential and machine efficiency.

The Human Infrastructure Powering Artificial Intelligence

The seamless flicker of a chatbot’s reply or the effortless lane change of a driverless vehicle often masks a vast, invisible network of human cognitive labor that makes such digital grace possible. While the marketing of advanced technology frequently paints a picture of silicon brains evolving in isolation, the underlying reality is a global assembly line of human intelligence. Every

Bruce Clay Leaves a Lasting Legacy as the Father of SEO

The Architect of an Industry and the Importance of Digital Frameworks The digital landscape we navigate today was not born out of thin air but was meticulously shaped by a few visionary thinkers who saw the potential of the internet long before it became a global marketplace. Among these pioneers, Bruce Clay stood as a singular figure whose influence spanned