Google has released Chrome 114, a security update that patches a critical zero-day vulnerability that the company’s Threat Analysis Group discovered and which was exploited in the wild. The latest version of Chrome also includes a patch for another vulnerability. The security update is a timely response to an ongoing threat and the company has warned users to update their Chrome browser as soon as possible.
Chrome 114 Security Update
The new Chrome 114 update for Windows, Mac, and Linux patches two flaws, including CVE-2023-3079, a type confusion issue affecting the V8 JavaScript engine. In a blog post, Google explained that “Google is aware of reports that an exploit for CVE-2023-3079 exists in the wild.” This zero-day vulnerability, which was discovered by Clement Lecigne of Google’s Threat Analysis Group on June 1, has been actively exploited by attackers.
Patches Two Flaws
Google has not shared any information about the second flaw patched in Chrome 114. Considering the nature of the first patch, it’s likely that the second flaw is also a severe vulnerability. The company has urged all Chrome users to update their browser to the newly released version to protect their systems.
Type Confusion Issue Affects V8 JavaScript Engine
The CVE-2023-3079 vulnerability that Chrome version 114 has fixed is a “use-after-free” type confusion issue affecting the V8 JavaScript engine. This vulnerability enables attackers to execute arbitrary code and gain control of an affected system. It is a severe vulnerability that can be exploited remotely and is considered a high-risk flaw.
Exploitation of CVE-2023-3079 in the wild
Google has confirmed that the CVE-2023-3079 vulnerability, which was patched in Chrome 114, was already under attack. An exploit for this flaw existed in the wild, which means cybercriminals have been using it to compromise systems. The company has not shared any information on the attacks or the actors behind them.
Google has not shared information on the attacks
Google’s Threat Analysis Group is responsible for identifying threats and vulnerabilities before they are exploited by threat actors. However, they have not shared any information about who is behind the attacks or the companies that have been targeted due to the sensitive nature of these investigations and the potential harm it could cause to users and stakeholders.
Discovered by Clement Lecigne of Google’s Threat Analysis Group
Clement Lecigne is a researcher at Google’s Threat Analysis Group. He discovered the CVE-2023-3079 vulnerability on June 1 and immediately reported it to Google’s security team. Google’s security team analyzed the bug and issued a patch within a month. This swift response highlights the importance of such groups in cybersecurity.
Commercial spyware vendors may have exploited CVE-2023-3079
The fact that Google’s Threat Analysis Group discovered CVE-2023-3079 suggests that it has likely been exploited by a commercial spyware vendor for their products. These vendors offer lawful surveillance tools for government agencies, but their products can also be used for malicious activities.
Google’s blog posts on spyware vendors and lawful surveillance
Google has been vocal about the use of spyware vendors as a means to carry out surveillance activities on individuals. In blog posts, the company has highlighted the techniques these companies use and the vulnerabilities in Chrome they exploit to target Android devices. Such posts are designed to raise awareness of the potential risks posed by spyware vendors and the need to take measures to protect against them.
Chrome Vulnerabilities Used by Spyware Vendors to Target Android Devices
Chrome vulnerabilities are often used by spyware vendors as part of their exploit chains to target Android devices. These complex chains are designed to take advantage of multiple bugs and vulnerabilities in a system to ultimately gain control of target devices. By using Chrome vulnerabilities, spyware vendors can potentially compromise a massive number of devices and gain unauthorized access to sensitive data.
Google’s $180,000 Bug Bounty Program for a Full Chain Exploit
Google announced that it will temporarily offer up to $180,000 through its bug bounty program for a full chain exploit that leads to a sandbox escape in Chrome. This demonstrates the company’s commitment to identifying and eliminating security vulnerabilities in its products. It also incentivizes security researchers to identify and report such vulnerabilities.
Totalitarian regimes’ abuse of spyware vendor solutions to spy on critics
Unfortunately, totalitarian regimes have often taken advantage of spyware vendor solutions to spy on critics or opposition groups. By exploiting Chrome vulnerabilities, these regimes can identify and target individuals, even if they use encrypted communication channels. This highlights the need for regulation and transparency in the commercial spyware market to prevent the misuse of surveillance tools.
Google’s 2022 Patch for Nine Chrome Zero-Days
In 2022, Google patched nine Chrome zero-day vulnerabilities, five of which were discovered by its Threat Analysis Group. These patches demonstrate the company’s commitment to identifying and addressing security vulnerabilities in its products. It also shows the continued efforts of its security team to stay ahead of cybercriminals and threat actors.
The timely release of Chrome 114 is a testament to Google’s commitment to providing secure software products. With its bug bounty program and dedicated security team, Google continues to identify and patch vulnerabilities in its products. This is crucial for maintaining the integrity of the internet and protecting users from malicious attacks. By incentivizing security researchers to report vulnerabilities, Google is helping to build a safer online ecosystem for all users.