Google Releases Emergency Chrome Security Update (hothardware.com) 29
"Earlier this week, Google released an emergency security update for the Chrome browser due to a vulnerability that is being actively exploited in the wild," reports Hot Hardware:
On Friday, Google highlighted CVE-2023-2033, reported by Clément Lecigne of Google's own Threat Analysis Group (TAG). This vulnerability is a 'type confusion' bug in the JavaScript engine for Chromium browsers useing the V8 Javascript engine. In short, type confusion is a bug that allows memory to be accessed with the wrong type, allowing for the reading or writing of memory out of bounds. The CVE page says that an attacker could create an HTML page that allows the exploitation of heap corruption.
While there is no Common Vulnerability Scoring System (CVSS) score attached to the vulnerability yet, Google is tracking this as a "high" severity issue. This is likely due in part to the fact that "Google is aware that an exploit for CVE-2023-2033 exists in the wild."
The article notes that Chrome updates are generally done automatically, but you can also check for updates by clicking Chrome's three-dots menu in the top-right corner, then "Help" and "About Chrome."
While there is no Common Vulnerability Scoring System (CVSS) score attached to the vulnerability yet, Google is tracking this as a "high" severity issue. This is likely due in part to the fact that "Google is aware that an exploit for CVE-2023-2033 exists in the wild."
The article notes that Chrome updates are generally done automatically, but you can also check for updates by clicking Chrome's three-dots menu in the top-right corner, then "Help" and "About Chrome."
Note that this isn't being released for Windows 7 (Score:3)
Re: (Score:1)
Re: (Score:2)
So if you're still using Windows 7 uninstall Chrome and use Firefox as it is the only mainstream browser to support Windows 7 (and 8.1). Of course, you really shouldn't be connecting Windows 7 boxes to the internet anymore so only do this if you physically can't use a different OS.
People keep saying this, but I don't understand why they say it. Win7 box behind a firewall. AV turned on. How is a mature well-patched OS (Win7) LESS secure than oh, say, Win10 which seems to have more vulnerabilities every day?
Re: (Score:3)
Simple: Because Microsoft lets it rot and even if Win7 was probably the best (or rather least bad) OS Microsoft ever made, there is still plenty of problems with it.
Re: Note that this isn't being released for Window (Score:2)
Windows 2000 was the best ever made. It is the last true version of Windows NT. NT kept getting better with every release. Each was faster, smaller, more stable. It was going places, the legacy of OS/2.
Then they merged all the Windows 95/ME crap to make XP. Windows never recovered from that blunder.
Re: (Score:2)
Well. I do not regard Windows as something that should be put on a server, ever. So let me rephrase that: Win7 was probably the least bad end-user OS that Microsoft ever made.
Re: (Score:2)
Windows 2000 was the best ever made. It is the last true version of Windows NT.
Nope. That was 3.51. In NT4 they merged the Kernel and GDI memory spaces in pursuit of graphics performance and ruined NT forever. They literally chose to fundamentally compromise both stability and security at that moment, and no one should have taken it seriously as anything but a client OS again.
With that said, Windows 2000 was pretty good for what it was, but Windows 7 is better. Not only does it support all the things (there are patches and/or updates for all the modern technologies) but if you want it
Re: (Score:2)
Re: (Score:2)
> AV turned on
AV only knows about malware that's been researched or follows certain heuristics.
Chrome heap corruption -> unpatched local exploit -> newish EFI rootkit (for instance) and all you know is your machine spontaneously rebooted.
Even if you have no sensitive data there are DDoS botnet concerns.
Re: (Score:2)
Article: Microsoft addresses vulnerability in Windows:
Comments: Haha M$ is dumb! Their OS is bad!
Article: Apple addresses vulnerability in macOS:
Comments: Haha Crapple is dumb! Their OS is bad!
Article: FOSS project addresses vulnerability in Linux:
Comments: OK, so it's fixed now, what's the big deal??
Re: (Score:2)
So if you're still using Windows 7 uninstall Chrome and use Firefox as it is the only mainstream browser to support Windows 7 (and 8.1). Of course, you really shouldn't be connecting Windows 7 boxes to the internet anymore so only do this if you physically can't use a different OS.
People keep saying this, but I don't understand why they say it. Win7 box behind a firewall. AV turned on. How is a mature well-patched OS (Win7) LESS secure than oh, say, Win10 which seems to have more vulnerabilities every day?
Because Chrome, and all other web browsers, use a bunch of DLLs supplied by the host OS. If the host OS no longer updates those DLLs, then those DLLs contain known vulnerabilities.
Microsoft Edge too... (Score:4, Informative)
I asked Bing Chat (as a sidebar of Microsoft Edge) if Mircrosoft Edge was impacted as well since it is Chromium based. It gave me the following response with this link to the fix from Microsoft: https://learn.microsoft.com/en... [microsoft.com]
Is Microsoft Edge impacted by CVE-2023-2033?
Searching for: Microsoft Edge CVE-2023-2033
Generating answers for you
Yes, Microsoft Edge is impacted by CVE-2023-2033. CVE-2023-2033 is a high-severity type confusion weakness in the Chrome V8 JavaScript engine that impacts all Chromium-based browsers including Microsoft Edge (Chromium-based) according to Bleeping Computer[1]. Microsoft Edge has been updated to patch this security flaw[2][3].
1. bleepingcomputer.com
2. patchmypc.com
3. learn.microsoft.com
Re: Microsoft Edge too... (Score:5, Funny)
So all ten edge users are safe?
Re: (Score:1)
If 10 people use Edge then 5 are using Firefox. https://www.w3schools.com/brow... [w3schools.com]
Re: (Score:3)
yeah, apparently it's just that one weird opera guy who is in trouble.
Re: (Score:2, Troll)
Gotta love how you were downmodded for providing useful information, especially when it comes from Microsoft itself.
Apparently the Microsoft fanboys don't like it when you point out what a shitshow Edge is being so tightly tied to someone else's rendering engine because the overpaid hacks at Microsoft couldn't come up with any better.
Re: (Score:2)
I asked Bing Chat (as a sidebar of Microsoft Edge) if Mircrosoft Edge was impacted as well since it is Chromium based.
just for fun, i asked chatgpt 3.5. because i knew it couldn't know about it.
Is Microsoft Edge impacted by CVE-2023-2033?
"As of my knowledge cutoff date of September 2021, CVE-2023-2033 does not exist yet, as it refers to a vulnerability that may be discovered in the future."
i'm really starting to like this thing. ofc it followed up with some boilerplate good advice on software maintenance.
Re: (Score:1, Troll)
Control. Win10 simply spies better on its users than Win7 deos.
Re: (Score:2)
For the average person, who was running Windows 7 with automatic updates, Windows 7 was approximately as good at spying on you as Windows 10 — telemetry was delivered to Windows 7 and 8 via windows updates.
Re: (Score:2)
You see, Microsoft is the Swiss Cheese of security, full of holes. In Windows 10, some of those holes have naturally filled with mold. Windows 10 has fewer holes but is more rotten.
Seriously though, If you get an Enterprise key for Windows 10 then you can turn off all of the 'telemetry' and the Windows Store and other garbage. It is not too hard to make a Windows image free of the junk. I find Win10 as stable and nice to use as Win7 or better. Windows 11 however seems like one of those 'off' releases like W
An experimental scripting project (Score:1)
Urgent Security Update for Google Chrome Browser (Score:1)
Seems like the wrong classification (Score:2)
High usually means it needs other flaws to do anything bad. If it is actively exploitable, it should be critical.