Thursday, 08 June 2023 15:12

Google and Microsoft Share a Zero Day as both Chrome and Edge get Patch Now Guidance.

Written by

Reading time is around minutes.

Google has pushed out a new patch for Chrome to deal with a zero-day vulnerability tracked as CVE-2023-3079. In the patch release Google is clear that this vulnerability is actively being exploited in the wild and that users of both Chrome and Edge should update to the latest version as soon as possible. The report of the flaw was from Google’s own threat research team making this an even more urgent event.

The flaw in question is a Type Confusion flaw found in V8. Nothing more than that at this stage as Google, more than likely, does not want to advertise this to more people than are already attacking it. The limited information given is not unusual when it comes to zero-day vulnerabilities. These will sometimes not even show up in the National Vulnerability Database until a statistically significant number of installations are known to be patched.

With a type confusion flaw there is an issue with the way your applications handles input values. It is possible for an attacker to submit data that makes sense in one context but does not in another. However, because of the type confusion, the application will accept that data as safe and validated, because it has already checked in the proper context. This is an exceptionally oversimplified explanation, but it shows how the logic is interpreted and how not having the proper safeguards against improper data types can allow abuse of an application.

As Microsoft’s Edge is Chromium based this browser is also subject to this zero-day and should be updated to the latest version. Anything more recent than 114.0.1823.37 for edge should have the proper fixes in place. For Chrome on Windows, you should update to 114.0.5735.110 or later and 114.0.5735.106 for macOS and Linux.
Happy Patching

Read 1474 times

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.