The Google Chrome 114 security update patches critical flaws, including a third zero-day vulnerability

Google has released Chrome 114, a security update that patches a critical zero-day vulnerability that the company’s Threat Analysis Group discovered and which was exploited in the wild. The latest version of Chrome also includes a patch for another vulnerability. The security update is a timely response to an ongoing threat and the company has warned users to update their Chrome browser as soon as possible.

Chrome 114 Security Update

The new Chrome 114 update for Windows, Mac, and Linux patches two flaws, including CVE-2023-3079, a type confusion issue affecting the V8 JavaScript engine. In a blog post, Google explained that “Google is aware of reports that an exploit for CVE-2023-3079 exists in the wild.” This zero-day vulnerability, which was discovered by Clement Lecigne of Google’s Threat Analysis Group on June 1, has been actively exploited by attackers.

Patches Two Flaws

Google has not shared any information about the second flaw patched in Chrome 114. Considering the nature of the first patch, it’s likely that the second flaw is also a severe vulnerability. The company has urged all Chrome users to update their browser to the newly released version to protect their systems.

Type Confusion Issue Affects V8 JavaScript Engine

The CVE-2023-3079 vulnerability that Chrome version 114 has fixed is a “use-after-free” type confusion issue affecting the V8 JavaScript engine. This vulnerability enables attackers to execute arbitrary code and gain control of an affected system. It is a severe vulnerability that can be exploited remotely and is considered a high-risk flaw.

Exploitation of CVE-2023-3079 in the wild

Google has confirmed that the CVE-2023-3079 vulnerability, which was patched in Chrome 114, was already under attack. An exploit for this flaw existed in the wild, which means cybercriminals have been using it to compromise systems. The company has not shared any information on the attacks or the actors behind them.

Google has not shared information on the attacks

Google’s Threat Analysis Group is responsible for identifying threats and vulnerabilities before they are exploited by threat actors. However, they have not shared any information about who is behind the attacks or the companies that have been targeted due to the sensitive nature of these investigations and the potential harm it could cause to users and stakeholders.

Discovered by Clement Lecigne of Google’s Threat Analysis Group

Clement Lecigne is a researcher at Google’s Threat Analysis Group. He discovered the CVE-2023-3079 vulnerability on June 1 and immediately reported it to Google’s security team. Google’s security team analyzed the bug and issued a patch within a month. This swift response highlights the importance of such groups in cybersecurity.

Commercial spyware vendors may have exploited CVE-2023-3079

The fact that Google’s Threat Analysis Group discovered CVE-2023-3079 suggests that it has likely been exploited by a commercial spyware vendor for their products. These vendors offer lawful surveillance tools for government agencies, but their products can also be used for malicious activities.

Google’s blog posts on spyware vendors and lawful surveillance

Google has been vocal about the use of spyware vendors as a means to carry out surveillance activities on individuals. In blog posts, the company has highlighted the techniques these companies use and the vulnerabilities in Chrome they exploit to target Android devices. Such posts are designed to raise awareness of the potential risks posed by spyware vendors and the need to take measures to protect against them.

Chrome Vulnerabilities Used by Spyware Vendors to Target Android Devices

Chrome vulnerabilities are often used by spyware vendors as part of their exploit chains to target Android devices. These complex chains are designed to take advantage of multiple bugs and vulnerabilities in a system to ultimately gain control of target devices. By using Chrome vulnerabilities, spyware vendors can potentially compromise a massive number of devices and gain unauthorized access to sensitive data.

Google’s $180,000 Bug Bounty Program for a Full Chain Exploit

Google announced that it will temporarily offer up to $180,000 through its bug bounty program for a full chain exploit that leads to a sandbox escape in Chrome. This demonstrates the company’s commitment to identifying and eliminating security vulnerabilities in its products. It also incentivizes security researchers to identify and report such vulnerabilities.

Totalitarian regimes’ abuse of spyware vendor solutions to spy on critics

Unfortunately, totalitarian regimes have often taken advantage of spyware vendor solutions to spy on critics or opposition groups. By exploiting Chrome vulnerabilities, these regimes can identify and target individuals, even if they use encrypted communication channels. This highlights the need for regulation and transparency in the commercial spyware market to prevent the misuse of surveillance tools.

Google’s 2022 Patch for Nine Chrome Zero-Days

In 2022, Google patched nine Chrome zero-day vulnerabilities, five of which were discovered by its Threat Analysis Group. These patches demonstrate the company’s commitment to identifying and addressing security vulnerabilities in its products. It also shows the continued efforts of its security team to stay ahead of cybercriminals and threat actors.

The timely release of Chrome 114 is a testament to Google’s commitment to providing secure software products. With its bug bounty program and dedicated security team, Google continues to identify and patch vulnerabilities in its products. This is crucial for maintaining the integrity of the internet and protecting users from malicious attacks. By incentivizing security researchers to report vulnerabilities, Google is helping to build a safer online ecosystem for all users.

Explore more

Why is LinkedIn the Go-To for B2B Advertising Success?

In an era where digital advertising is fiercely competitive, LinkedIn emerges as a leading platform for B2B marketing success due to its expansive user base and unparalleled targeting capabilities. With over a billion users, LinkedIn provides marketers with a unique avenue to reach decision-makers and generate high-quality leads. The platform allows for strategic communication with key industry figures, a crucial

Endpoint Threat Protection Market Set for Strong Growth by 2034

As cyber threats proliferate at an unprecedented pace, the Endpoint Threat Protection market emerges as a pivotal component in the global cybersecurity fortress. By the close of 2034, experts forecast a monumental rise in the market’s valuation to approximately US$ 38 billion, up from an estimated US$ 17.42 billion. This analysis illuminates the underlying forces propelling this growth, evaluates economic

How Will ICP’s Solana Integration Transform DeFi and Web3?

The collaboration between the Internet Computer Protocol (ICP) and Solana is poised to redefine the landscape of decentralized finance (DeFi) and Web3. Announced by the DFINITY Foundation, this integration marks a pivotal step in advancing cross-chain interoperability. It follows the footsteps of previous successful integrations with Bitcoin and Ethereum, setting new standards in transactional speed, security, and user experience. Through

Embedded Finance Ecosystem – A Review

In the dynamic landscape of fintech, a remarkable shift is underway. Embedded finance is taking the stage as a transformative force, marking a significant departure from traditional financial paradigms. This evolution allows financial services such as payments, credit, and insurance to seamlessly integrate into non-financial platforms, unlocking new avenues for service delivery and consumer interaction. This review delves into the

Certificial Launches Innovative Vendor Management Program

In an era where real-time data is paramount, Certificial has unveiled its groundbreaking Vendor Management Partner Program. This initiative seeks to transform the cumbersome and often error-prone process of insurance data sharing and verification. As a leader in the Certificate of Insurance (COI) arena, Certificial’s Smart COI Network™ has become a pivotal tool for industries relying on timely insurance verification.