Google Releases Emergency Fix for Chrome Zero-day
A lot of times you hear advice to "update your browser" (I may have said that myself). For Chrome, and most other browsers, you never need to actually do anything to update the browser, but the browser will do it for you behind the scenes. Just make sure you fully exit the browser once a day to allow it to apply the update. Bad actors are using news like this to distribute malware via fake browser updates.
Check out the Chrome Enterprise settings to ensure that users are required to relaunch to finish the update process. Encourage users to click the relaunch prompt when shown rather than waiting for it to timeout, or your processes to intervene. Google reports an exploit for CVE-2023-2033 exists in the wild. Don't overlook updates for Chromium based browsers, Brave, Opera, Vivaldi, etc.
Since most browsers and even mobile operating systems push patches out constantly, “Emergency Fix” is pretty much an outdated term that largely only applies to Windows these days. Convince your CIO that all since all those cloud services you use are able to patch continually, the same should be true for data center and fat client apps.
The type confusion vulnerability allows remote code execution and should be patched immediately. Several years ago, Google greatly simplified the patch management process for Chrome, now mirrored by all major browser vendors. It’s as simple as closing and reopening the browser.
Browsers, the universal clients, are open, general, flexible, feature rich, complex, and vulnerable. Prefer purpose built clients for sensitive applications.
William Hugh Murray
Read more in
Chrome Releases: Stable Channel Update for Desktop
The Register: Update now: Google emits emergency fix for zero-day Chrome vulnerability
Bleeping Computer: Google Chrome emergency update fixes first zero-day of 2023
Dark Reading: Google Issues Emergency Chrome Update for Zero-Day Bug
SC Magazine: Zero-day in Google Chrome patched: Bug exploited in the wild
NIST: CVE-2023-2033 Detail