Concerned by the lacklustre patching reports, communities of security professionals have urged to patch a zero-day vulnerability in Chrome Open-Source Software (OSS) browser. Google issued the patch on April 14.
Microsoft urged users and companies to upgrade to Edge version 112.0.1722.48 using the emergency patch. The Microsoft Edge based on Chromium and was released on January 15, 2020.
“Microsoft is aware of the recent exploits existing in the wild. We are actively working on releasing a security fix,” said the Microsoft announcement of the patch.
The high-severity vulnerability CVE-2023-2033 can allow hackers to exploit heap corruption on unpatched devices. “A heap is a tree-based data structure in which all the nodes of the tree are in a specific order,” according to an article by Hackerearth.
Zero-day vulnerability in Chrome
The actively exploited zero-day vulnerability in Chrome was a type confusion issue in the V8 Javascript engine. Last year Google patched nearly nine zero-day vulnerabilities.
Exploiting heap corruption through an HTML page may lead to a memory leak while the memory gets inaccessible to the program.
This zero-day vulnerability in Chrome was alerted about by external researchers and must be patched on Windows, Mac, and Linux-based devices.
The zero-day vulnerability in Chrome would have also led to crashing the browser after exploiting the memory. Hackers could also run arbitrary codes and increase the impact on affected networks.
Google did not make any statements about the exploit cases or impact thereafter. The communications giant will release additional details in future updates.
The bug can automatically check and install the updates with manual effort.
Other zero-day vulnerabilities in Google
Recently Google published a report on zero-day vulnerabilities that stated that vendors had agreed to actively alert about the found-in-the-wild exploitation of bugs on their security bulletin. They also agreed to share exploit samples with related technical details with a focus on reducing memory corruption flaws.
The report also featured the a graph highlighting the difference between 0 days found over a period.
After a dip in the number of 0-day vulnerabilities in 2018, the highest spike was noticed in the year 2021.
“While we believe there has been a steady growth in interest and investment in 0-day exploits by attackers in the past several years, and that security still needs to urgently improve, it appears that the security industry’s ability to detect and disclose in-the-wild 0-day exploits is the primary explanation for the increase in observed 0-day exploits in 2021,” the Google report read.
Patch management and zero-days
“A zero-day vulnerability is a flaw in software for which no official patch or security update has been released. A software vendor may or may not be aware of the vulnerability, and no public information about this risk is available,” said a Microsoft advisory.
Zero-day vulnerabilities often have high severity levels and are actively exploited, it noted.
Zero-day exploits aren’t only highly valued in legitimate bug bounty programs — with one even fetching up to US$2 million — they are also valuable in underground marketplaces,” said a Trend Micro report.
For threat actors, zero-day exploits are a boon because most security defenses are designed to handle known flaws. Attacks based on unknown and unpatched vulnerabilities can thus go unnoticed for a long time.
According to the Trend Micro report, the effectiveness of a zero-day attack hinges on the organization’s “window of exposure,” which is the duration between the identification of a security flaw and the implementation of a patch to address it.
Even vulnerabilities that are already known can have a substantial window of exposure, either due to the organization’s patch management practices or the complexity of creating the patch. A more extended window of exposure increases the probability that an attack will go unnoticed.
