Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Chrome Bug

Google Releases Emergency Chrome Security Update (hothardware.com) 29

"Earlier this week, Google released an emergency security update for the Chrome browser due to a vulnerability that is being actively exploited in the wild," reports Hot Hardware: On Friday, Google highlighted CVE-2023-2033, reported by Clément Lecigne of Google's own Threat Analysis Group (TAG). This vulnerability is a 'type confusion' bug in the JavaScript engine for Chromium browsers useing the V8 Javascript engine. In short, type confusion is a bug that allows memory to be accessed with the wrong type, allowing for the reading or writing of memory out of bounds. The CVE page says that an attacker could create an HTML page that allows the exploitation of heap corruption.

While there is no Common Vulnerability Scoring System (CVSS) score attached to the vulnerability yet, Google is tracking this as a "high" severity issue. This is likely due in part to the fact that "Google is aware that an exploit for CVE-2023-2033 exists in the wild."

The article notes that Chrome updates are generally done automatically, but you can also check for updates by clicking Chrome's three-dots menu in the top-right corner, then "Help" and "About Chrome."
This discussion has been archived. No new comments can be posted.

Google Releases Emergency Chrome Security Update

Comments Filter:
  • by xack ( 5304745 ) on Sunday April 16, 2023 @05:30PM (#63454490)
    So if you're still using Windows 7 uninstall Chrome and use Firefox as it is the only mainstream browser to support Windows 7 (and 8.1). Of course, you really shouldn't be connecting Windows 7 boxes to the internet anymore so only do this if you physically can't use a different OS.
    • DistroWatch.com [distrowatch.com]
    • by bobby ( 109046 )

      So if you're still using Windows 7 uninstall Chrome and use Firefox as it is the only mainstream browser to support Windows 7 (and 8.1). Of course, you really shouldn't be connecting Windows 7 boxes to the internet anymore so only do this if you physically can't use a different OS.

      People keep saying this, but I don't understand why they say it. Win7 box behind a firewall. AV turned on. How is a mature well-patched OS (Win7) LESS secure than oh, say, Win10 which seems to have more vulnerabilities every day?

      • by gweihir ( 88907 )

        Simple: Because Microsoft lets it rot and even if Win7 was probably the best (or rather least bad) OS Microsoft ever made, there is still plenty of problems with it.

        • Windows 2000 was the best ever made. It is the last true version of Windows NT. NT kept getting better with every release. Each was faster, smaller, more stable. It was going places, the legacy of OS/2.

          Then they merged all the Windows 95/ME crap to make XP. Windows never recovered from that blunder.

          • by gweihir ( 88907 )

            Well. I do not regard Windows as something that should be put on a server, ever. So let me rephrase that: Win7 was probably the least bad end-user OS that Microsoft ever made.

          • Windows 2000 was the best ever made. It is the last true version of Windows NT.

            Nope. That was 3.51. In NT4 they merged the Kernel and GDI memory spaces in pursuit of graphics performance and ruined NT forever. They literally chose to fundamentally compromise both stability and security at that moment, and no one should have taken it seriously as anything but a client OS again.

            With that said, Windows 2000 was pretty good for what it was, but Windows 7 is better. Not only does it support all the things (there are patches and/or updates for all the modern technologies) but if you want it

        • by Merk42 ( 1906718 )
          Can you show me what version of what operating system that came out in 2009 is still supported to this day?
      • > AV turned on

        AV only knows about malware that's been researched or follows certain heuristics.

        Chrome heap corruption -> unpatched local exploit -> newish EFI rootkit (for instance) and all you know is your machine spontaneously rebooted.

        Even if you have no sensitive data there are DDoS botnet concerns.

      • by Teckla ( 630646 )

        So if you're still using Windows 7 uninstall Chrome and use Firefox as it is the only mainstream browser to support Windows 7 (and 8.1). Of course, you really shouldn't be connecting Windows 7 boxes to the internet anymore so only do this if you physically can't use a different OS.

        People keep saying this, but I don't understand why they say it. Win7 box behind a firewall. AV turned on. How is a mature well-patched OS (Win7) LESS secure than oh, say, Win10 which seems to have more vulnerabilities every day?

        Because Chrome, and all other web browsers, use a bunch of DLLs supplied by the host OS. If the host OS no longer updates those DLLs, then those DLLs contain known vulnerabilities.

  • by mkse ( 10333947 ) on Sunday April 16, 2023 @06:04PM (#63454526)

    I asked Bing Chat (as a sidebar of Microsoft Edge) if Mircrosoft Edge was impacted as well since it is Chromium based. It gave me the following response with this link to the fix from Microsoft: https://learn.microsoft.com/en... [microsoft.com]

    Is Microsoft Edge impacted by CVE-2023-2033?

    Searching for: Microsoft Edge CVE-2023-2033

    Generating answers for you

    Yes, Microsoft Edge is impacted by CVE-2023-2033. CVE-2023-2033 is a high-severity type confusion weakness in the Chrome V8 JavaScript engine that impacts all Chromium-based browsers including Microsoft Edge (Chromium-based) according to Bleeping Computer[1]. Microsoft Edge has been updated to patch this security flaw[2][3].

    1. bleepingcomputer.com
    2. patchmypc.com
    3. learn.microsoft.com

    • by ArmoredDragon ( 3450605 ) on Sunday April 16, 2023 @06:19PM (#63454558)

      So all ten edge users are safe?

    • Re: (Score:2, Troll)

      by quonset ( 4839537 )

      Gotta love how you were downmodded for providing useful information, especially when it comes from Microsoft itself.

      Apparently the Microsoft fanboys don't like it when you point out what a shitshow Edge is being so tightly tied to someone else's rendering engine because the overpaid hacks at Microsoft couldn't come up with any better.

    • by znrt ( 2424692 )

      I asked Bing Chat (as a sidebar of Microsoft Edge) if Mircrosoft Edge was impacted as well since it is Chromium based.

      just for fun, i asked chatgpt 3.5. because i knew it couldn't know about it.

      Is Microsoft Edge impacted by CVE-2023-2033?

      "As of my knowledge cutoff date of September 2021, CVE-2023-2033 does not exist yet, as it refers to a vulnerability that may be discovered in the future."

      i'm really starting to like this thing. ofc it followed up with some boilerplate good advice on software maintenance.

  • After many years of seeing these stories, I worked out a few ideas about how to add make scripting engines a bit more resilient against such attacks -- and have made a GPL-licensed prototype + documentation. Specifically on the matter of type confusion, my proposed approach is to set aside most compiler optimizations, use mandatory type checking with bounds specified as part of a memory-binding primitive for all dynamic memory access, use a globally applicable CPU register allocation, get rid of the stack
  • Google has released an emergency security update for its Chrome browser, addressing a vulnerability that is actively being exploited. This vulnerability is related to the browser's FileReader API, which could allow an attacker to execute arbitrary code on a victim's system. Users are encouraged to update to the latest version of Chrome as soon as possible to ensure their systems are protected. It's also recommended to regularly update all software and applications to stay protected against potential securit
  • High usually means it needs other flaws to do anything bad. If it is actively exploitable, it should be critical.

Don't tell me how hard you work. Tell me how much you get done. -- James J. Ling

Working...