Exploited zero-day patched in Chrome (CVE-2023-3079)

Google has fixed a high-severity vulnerability in the Chrome browser (CVE-2023-3079) that is being exploited by attackers.

About the vulnerability

CVE-2023-3079 is a vulnerability that stems from a type confusion in the V8 JavaScript engine, and has been uncovered by Clément Lecigne of Google’s Threat Analysis Group (TAG), a “task-force” dedicated to protecting users from state-sponsored malware attacks and other advanced persistent threats.

“Google is aware that an exploit for CVE-2023-3079 exists in the wild,” the Chrome team says.

As per usual, Google is refraining from revealing bug details “until a majority of users are updated with a fix.”

Fixing CVE-2023-3079

To address this critical issue, users are advised to upgrade their Google Chrome browser to the latest version. The recommended updates include version 114.0.5735.110 for Windows and version 114.0.5735.106 for macOS and Linux. Chromium-based browsers – Opera, Brave, Microsoft Edge, etc. – will also require patching.

These latest versions also include fixes for bugs unearthed by Google via internal audits, fuzzing and through other initiatives.

Hunting for bugs

This marks the third time in the current year that Google Chrome has experienced a zero-day vulnerability exploited in the wild.

Google has recently considerably augmented the reward amount for security bug reports that include a functional full chain exploit of Chrome.

Until December 1, 2023, the first bug hunter who reports one can get up to $180,000, and subsequent ones can get up to $120,000.

UPDATE (June 8, 2023, 04:15 a.m. ET):

Microsoft has released a fix for CVE-2023-3079 to Microsoft Edge Stable Channel (Version 114.0.1823.41).

UPDATE (August 16, 2023, 05:55 a.m. ET):

An exploit for CVE-2023-3079 has been published.