A zero-day vulnerability in Google Chrome that has been exploited in the wild has been fixed through the most recent Stable Channel Update for Desktop. A security bulletin released by Google this week confirms that an exploit for this bug exists, however, detailed exploit and vulnerability information has still not been released by Google in order to allow the majority of their users to apply this update before the bug details are made public. 

The zero-day vulnerability is tracked as CVE-2023-3079. This flaw has been assigned a Chromium security severity of ‘high’, however a CVSS base score has not yet been given. This flaw is a type confusion vulnerability that is found within the V8 JavaScript engine used by Google Chrome, and other Chromium-based browsers. A type confusion flaw occurs when a resource which might be a pointer, object, or variable, is initialised according to one type, but then later accessed using an incompatible type. In the case of this particular flaw, the known exploit involved a remote attacker crafting a malicious HTML page which allowed them to take advantage of a heap corruption. When exploits like this occur, this often then leads to out of bounds read or write capabilities, which in turn can cause the application to crash, or possibly allow for code execution. 

Although this is patched in the latest version of Google Chrome, users of other Chromium-based browsers, such as Microsoft Edge and Brave, should also check for any available updates, as they may be affected by this flaw in the Chromium V8 engine. Google Chrome users should update to version 114.0.5735.106 on Mac and Linux, and version 114.0.5735.110 on Windows to apply this latest security patch. To check which version of Chrome is being run on your device, open the Chrome browser, and use the Three Dot Menu to navigate to Settings. At the bottom of the menu on the left-hand side is the page About Chrome, which will display the current Chrome version in use, and provide the option to update to the latest version if necessary.