Google patches exploited security issue in Chrome: update asap

Martin Brinkmann
Jun 7, 2023
Updated • Jun 10, 2023
Google Chrome
|
48

Google has released an update for Chromium and Google Chrome that addresses a security issue in the web browser that is exploited in the wild. Exploited in the wild means that Google is aware of attacks on the Internet that target this vulnerability.

The issue affects Chromium, the open source core of Chrome and many other browsers, including Microsoft Edge, Opera, Vivaldi and Brave Browser. Some organizations have published updates for their browsers already that address the issue, others are still working on updates.

Google published information about the new release on the official Chrome Releases website. There, the company informed users that it has fixed two security issues in the Chrome browser, one of which patches a vulnerability that is exploited in the wild.

The second vulnerability is not disclosed publicly, which Google does when a security issue is detected internally by the company.

Google provides the following information on the issue:

[$NA][1450481] High CVE-2023-3079: Type Confusion in V8. Reported by Clément Lecigne of Google's Threat Analysis Group on 2023-06-01. Google is aware that an exploit for CVE-2023-3079 exists in the wild.

The patch is available for Chrome Stable and Chrome Extended Stable for all supported desktop platforms.

Chrome users may load chrome://settings/help in the browser's address bar, or select Menu > Help > About Google Chrome to display the current version. Opening the page starts an automatic check for updates and any updated version is downloaded to the system at that point. A restart of the browser is required to complete the update.

The version of Google Chrome is the following one after the installation of the update:

  • Chrome for Mac and Linux: 114.0.5735.106
  • Chrome for Windows: 114.0.5735.110

Other Chromium-based browsers affected

All other Chromium-based browsers are affected by the security issue. Some have been updated already, including the following ones:

  • Microsoft Edge was updated to version 114.0.1823.41 on June 6, 2023 to fix CVE-2023-3079, which is the security issue that Google has stated is being exploited in the wild.
  • Brave Software has updated the company's Brave Browser to version 1.52.122 on June 6, 2023 to address the security issue in Chromium.
  • Vivaldi Software released a minor update for the stable version on June 5, 2023 to address the critical security issues.
  • Opera Software has released an update on June 8, 2023.

Closing Words

All users who run Chromium-based browsers on their desktop devices may want to update their web browsers immediately, provided that an update has been released that is addressing the security issue in the browser.

Summary
Article Name
Google patches exploited security issue in Chrome: update asap
Description
Google has released an update for Chromium and Google Chrome that addresses a security issue in the web browser that is exploited in the wild.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: «

Comments

  1. Bleeehhh said on June 8, 2023 at 3:13 pm
    Reply

    Say what you want about Google and their ad-revenue, pissing on privacy etc etc..it is an advertising company after all, with the sole purpose to make money. Now, they pay good money to people that find flaws in Chrome and they update very fast. How this can be seen as GARBAGE is beyond me, how can NOT updating the worlds most used browser when flaws are found be good for anybody..?? Brave users should just shut the f*ck up, you’re using chromium, go away. Firefox gatekeepers should just drown in a shallow ditch, your “browser” is ancient tech and an embarrasment by this point. Without Googles generous CHARITY, pity-money to Mozilla, you wouldn’t even have a browser anymore. NOBODY CARES WHAT BROWSER YOU USE, YOU IDIOTS. The main thing is that it’s safe and works as expected. Don’t like updates? Use Internet Explorer then, just go to Hell and die while you’re at it. I bet you’re vegan too…

    1. Andy Prough said on June 8, 2023 at 10:55 pm
      Reply

      >”just go to Hell and die while you’re at it”

      You want them to go to hell, hang around for awhile, and then die? Is that the itinerary you are proposing?

      I feel refreshingly at ease after reading this rant, seeing as how it doesn’t mention Pale Moon. I guess I don’t have to die in a shallow ditch or anything. Sorry for all you other folks though. Especially [checks notes] Brave and Firefox users. You folks are in for a very rough time I guess. I would take some snorkel gear with me if I were you.

    2. John G. said on June 8, 2023 at 10:44 pm
      Reply

      A bad night, I suppuse.

    3. Anonymous said on June 8, 2023 at 4:27 pm
      Reply

      lol nice triggered post Chrome snowflake.
      btw Firefox is written in Rust so it’s newer than Chrome.
      Imagine being a Chrome fanboy.

      1. Iron Heart said on June 10, 2023 at 9:25 pm
        Reply

        @Anonymous

        Except Firefox isn’t written in Rust.

  2. John G: said on June 8, 2023 at 11:03 am
    Reply

    @owl, NoScript and Ublock Origin are equal like an egg is equal to a knife.

  3. Rick said on June 8, 2023 at 7:48 am
    Reply

    While it is true that Vivaldi is likely to release 6.1 any time now, this security patch was backported to 6.0 two days before the date of the article:
    https://vivaldi.com/blog/desktop/minor-update-five-6-0

  4. John G. said on June 8, 2023 at 6:42 am
    Reply

    @owl, the Cross-Site Scripting (XSS) filtering can be easily added by any browser, however it has been proved unuseful and some years ago the own powerful Google removed Chrome’s built-in XSS protection (XSS Auditor) for this same reason, replacing the XSS auditor to a new class of trusted APIs. And if I remember well, Microsoft also removed the XSS filter of Edge. So again, NoScript is the snake’s oil salesman about security, pure marketing euphoria.

    1. owl said on June 8, 2023 at 7:24 am
      Reply

      @John G.

      Not because it’s “useless”, but because it’s inconvenient for Google and Microsoft (e.g. Google Analytics uses cross-site scripting to collect relevant browsing and personal information).

      Also, in the discussion between Maone and Adblock Plus co-creator Wladimir Palant at the Wilders Security Forums, it was pointed out that “if a web page has an XSS vulnerability, it is pointless”, so in May 2007 A function called XSS Protection has been implemented since around May.
      NoScript: https://en.wikipedia.org/wiki/NoScript
      Usage: https://noscript.net/usage/
      FAQ: https://noscript.net/faq/

      I just posted a comment about “NoScript”.
      I’m not trying to convince you, use it or not, it’s up to you.
      However, it is recommended that you read through the citations provided (for future reference)

      1. John G. said on June 8, 2023 at 8:03 am
        Reply

        @owl, again in my humble opinion, NoScript has been, and still it is, the worst snake’s oil piece of software ever made, always talking about online security terms. I wonder how many hours and years have been globally worldwide spent with this pathetic and absurd extension. I met Noscript in 2013 and ten years laters it’s still the worst paranoid extension ever made. Pure garbage and wasted time, it’s like a plague itself once you leave it enter to your life.

      2. owl said on June 8, 2023 at 8:36 am
        Reply

        @John G.

        I have already retired and moved to a digital detox lifestyle, but I have high computer skills from work (I have experienced a wide variety of programs since before Windows OS, and CATIA, etc).
        Both “NoScript” and “uBlock Origin” have been users since Release.
        As @Andy Proough commented.
        That’s all from me.
        Well then.

      3. Yash said on June 8, 2023 at 11:40 am
        Reply

        @owl and @Andy Prough

        uBO can be configured to behave exactly like Noscript and more. Infact the customisation options are so effective even Noscript and hardcore Tor browser users wouldn’t dare turning them on.

        You have medium mode and hard mode – those are basic modes. Then you can disable javascript, all fonts(1st party and 3rd party), inline scripts, css and images. Your browser fingerprint will be reduced to just user-agent fingerprinting. After activating these modes, even Tor browser in strict settings would look a secondary privacy browser. And unlike Noscript, you can set these actions on a per-site basis.
        This is not a criticism of Tor or Noscript which predates uBO.

      4. Andy Prough said on June 8, 2023 at 3:09 pm
        Reply

        >”Then you can disable javascript, all fonts(1st party and 3rd party), inline scripts, css and images. Your browser fingerprint will be reduced to just user-agent fingerprinting. After activating these modes, even Tor browser in strict settings would look a secondary privacy browser.”

        Yes I’m aware, I’ve spent years browsing with all js, CSS, external fonts and large images disabled by default with uBlock Origin, along with things like all 3rd party frames and cookies. It’s actually my favorite way to browse the web, along with user agent spoofing and IP address redirects. Like a ghost.

      5. John G: said on June 8, 2023 at 11:03 am
        Reply

        @owl, NoScript and Ublock Origin are equal like an egg is equal to a knife.

  5. John G. said on June 8, 2023 at 3:27 am
    Reply

    @Anonymous, I only use Ublock Origin with Chrome’s “enhanced protection”. It’s more than enough for 99.99% of the whole browsing you will do. I started to use use Ublock Origin in August 2024, so after almost nine years of intense use I can say that this extension is the only one that you will need to browse secure for years and years. I used Netcraft for six months too, however I got really tired about all the ads and false positives and, have I said ads? Anyway everything is better than NoScript, because it’s nonsense to waste at least 15 minutes to configure a site just to see the f****** site. Really paranoid, absurd and as I said, it’s like a terror film.

    1. Anonymous said on June 8, 2023 at 5:20 pm
      Reply

      Is this an helpful addition, in stead of Noscript:

      https://www.majorgeeks.com/files/details/javascript_restrictor.html

      ?

      1. Andy Prough said on June 9, 2023 at 6:52 am
        Reply

        I don’t know about that extension, it looks like a fork of the JShelter extension. It even copies the text from the JShelter website. JShelter used to be called Javascript Restrictor, but the developer for this extension that you linked to is not listed on the JShelter developer page. So I would say you might not want to trust this version from the Major Geeks website, and instead look at the one on the JShelter website.

        My understanding is that the JShelter extension tries to protect users from fingerprinting, and there are arguments about whether it does its job well or not. I do not believe that this extension is used as an alternative to Noscript – it’s just for trying to prevent fingerprinting.

        If you just want an alternative to noscript you can use Brave Browser. Click on the Brave Shield and enable “Block Scripts”. Then you’ll be shown a number next to Block Scripts, click on that number and Brave will let you allow or disallow javascript from the various domains that serve the page you are on. It’s fairly simple and straightforward – probably a good bit simpler than noscript.

      2. owl said on June 9, 2023 at 10:12 am
        Reply

        I agree.
        I’ve tried the “JShelter extension” in the past and it does the same thing that “Noscript” does.
        However, JShelter is very troublesome in terms of effort. The conclusion is that “Noscript” is the best.
        If you can’t master ‘Noscript’ as some have argued in this comment section, using Brave and using ‘Brave Shield’ is a good alternative.
        I prefer Firefox with uBlock Origin and Noscript added, but the bottom line is that your options will vary depending on your sense of values.

    2. Andy Prough said on June 8, 2023 at 4:18 am
      Reply

      >”Anyway everything is better than NoScript, because it’s nonsense to waste at least 15 minutes to configure a site just to see the f****** site. Really paranoid, absurd and as I said, it’s like a terror film.”

      Yes, except the ending to this particular terror film is that somebody’s Chrome instance is going to get pwned because of all these Chrome V8 javascript engine zero day exploits. uBlock Origin is capable of defending you against javascript exploits, but you have to use it in advanced mode, which also requires setting javascript configurations for each site, just like noscript.

      I would prefer that people use uBlock Origin in advanced mode to disable most javascript, but they usually find noscript to be easier to use for some reason, so that’s why I mention it first.

      1. John G. said on June 8, 2023 at 6:20 am
        Reply

        @Andy Prough I agree, indeed I know what you meant perfectly.

        However in normal life it’s impossible to control completely Javascript neither other risks unless you disable them. No Javascript no problems. You won’t do mostly nothing, however you can browse safer than never. As example, my father has more than 35 years using computers all day long and he still is unable to control Javascript in the way he desires, not due the lack of skills but due to lack of time. You can’t lose hours per day of your life just controlling and configuring what you visit just to visit the same sites again in a safely mode of your taste. It’s ridiculous. In this sense, just configuring the Javascript behaviour of a single newspaper website can consume more than twenty minutes (for sure), and then the website will update the next month (this have happened to me a lot of times). Time lost, I say you. The only way to trust Internet is to browse through secure and well known sites, using the “strict mode” tracking protection and plus the strict “enhanced security” than can be found in Edge, and also the “enhanced security that can be found at Chrome/Firefox.

        Just to see what I meant you can read the next interesting article, to read how there is no way to control all the open doors outside. The only way is using the common sense, the latest browsers updates, Ublock Origin and Cloudflare-malware/Quad9-11 DNS.

        https://securityboulevard.com/2023/04/the-top-ten-javascript-vulnerabilities-and-how-to-avoid-them/

      2. Andy Prough said on June 8, 2023 at 6:43 am
        Reply

        >”In this sense, just configuring the Javascript behaviour of a single newspaper website can consume more than twenty minutes (for sure), and then the website will update the next month (this have happened to me a lot of times).”

        I wouldn’t visit a site like that. If they are that bad, how can you ever trust them at all?

        I don’t visit newspaper websites, but I’m sure they are just full of awful scripts and other nasties. And are probably so poorly coded that you can’t have any faith they won’t be taken over by crime gangs to host their malware and inject it into visiting browsers.

        Whether I use noscript or uBlock Origin in advanced mode, if it takes me more than a few moments to get the site to run the way I like, then I just leave and stop visiting it. That’s one reason I love Ghacks – no javascript required, either to read articles or to comment.

      3. owl said on June 8, 2023 at 5:31 am
        Reply

        About the usefulness of Firefox dedicated extension “NoScript”:

        uBlock Origin is great, but
        By using NoScript together, you can block the very malicious “Cross-tab Identity Leak”.

        So Tor Browser (Firefox ESR) and Mullvad Browser (Firefox ESR) have “NoScript” implemented.
        https://mullvad.net/en/browser/hard-facts
        NoScript is used as the back-end of the Security Level feature and provides additional protections like Cross-Site Scripting (XSS) filtering. NoScript’s icon is hidden by default like in the Tor Browser, but can be added along other extensions from the Customize Toolbar menu.

        As a reference:
        The Mullvad Browser: A Privacy-Focused Browser Designed to Reduce Your Fingerprint – gHacks Tech News
        https://www.ghacks.net/2023/04/03/the-mullvad-browser-a-privacy-focused-browser-designed-to-reduce-your-fingerprint/#comment-4563254

    3. John G. said on June 8, 2023 at 3:28 am
      Reply

      * sorry for the type, I meant august 2014.

  6. Anonymous said on June 7, 2023 at 11:18 pm
    Reply

    Google is a proof of trust!
    Just because “a vulnerability was found” doesn’t mean that “Chrome users were harmed”.
    In the past, there have been no confirmed cases of users being harmed.

    Chrome, which is the overwhelming majority, is actively audited by third-party experts, so it is possible to prevent serious damage. Don’t worry.
    Firefox, which no one is paying attention to, would be more dangerous.

    Google has consistently been the industry leader and has always been right.
    Based on its track record, Google can be trusted.

  7. Flanagan said on June 7, 2023 at 9:44 pm
    Reply

    Everyone should use K-Meleon, it’s so safe it never gets any updates.

    1. Iron Heart said on June 8, 2023 at 8:28 am
      Reply

      People around here (sometimes deliberately) mistake the lack of popularity of applications like Firefox for actual base code security, what do you expect? This place isn’t what it used to be. Your K-Meleon example is funny, and hits the nail on the head.

      1. Frankel said on June 8, 2023 at 11:17 am
        Reply

        People around here (sometimes deliberately) mistake the sandboxing in applications like Chrome for actual base code security, what do you expect? This place isn’t what it used to be. Your Brave example is funny, and hits the nail on the head. Another 0-day each day.

      2. Iron Heart said on June 8, 2023 at 12:25 pm
        Reply

        @Frankel

        Way to miss my point. If you can only react with unfunny trolling, you know it is correct. Do you feel like you’re being called out, Frankel?

  8. Thorky said on June 7, 2023 at 5:14 pm
    Reply

    Google Chrome is the new Flash Player with its mass of securityleaks.

  9. Mothy said on June 7, 2023 at 3:45 pm
    Reply

    These constant updates do not give one much confidence in the security of anything based on Chromium. It does feel like it’s Swiss cheese and full of holes to be exploited at any given moment. Thus I have stopped using Ungoogled Chromium for anything Internet (as a secondary browser). Thinking of uninstalling it anyway just so I don’t have to deal with the frequent updates. I feel bad for the developers who donate their time to that project trying to keep up with all of these updates.

  10. BLM said on June 7, 2023 at 3:29 pm
    Reply

    Just when I almost learned how to use this version you want me to update!!!! NO!!!!!! THAT’S RACIST!!!!!!

  11. Andy Prough said on June 7, 2023 at 2:58 pm
    Reply

    Anyone using Chrome or a chromium-based browser should be using the noscript extension as a bare minimum to guard against these constant exploits.

    That V8 javascript engine Google has cobbled together is just swiss cheese – so full of holes it will never be safe.

    1. John G. said on June 7, 2023 at 3:26 pm
      Reply

      Noscript extension = the first step towards the delirium tremens.
      The worst scritp ever designed, disturbing all normal browsing.

      There is two good films of terror:
      IT, by Stephen King.
      Noscript, by Giorgio Maone.

      1. VioletMoon said on June 7, 2023 at 3:57 pm
        Reply

        “The Seventh Seal”–Ingmar Bergman

        Yet another security update for Chrome.

        No end . . . Pre-emptive coding with AI, I should think, would be the end to patch, patch, patch without ever solving the issue.

      2. owl said on June 8, 2023 at 6:42 am
        Reply

        Oh yeah, it’s a postscript about the “Chrome Web Store”
        Even with the introduction of “extension manifest V3” advocated by Google, it will continue to be the same as before, it can be asserted that the problem will never be solved.
        Because Google prioritizes revenue growth: Cost reduction: “replace with AI” is the Golden Rule.

      3. Iron Heart said on June 8, 2023 at 12:31 pm
        Reply

        @owl

        No actually security issues ARE being addressed with Manifest V3. For example, extensions can then no longer monitor and intercept (and redirect) the connections initiated within the browser by the user, thwarting many spyware and malicious redirect / scam attempts extensions currently make. But that same functionality is used by e.g. uBlock Origin to block ads, so that change is constantly being hated on here, and Mozilla is being celebrated for keeping the webRequest API around (because Firefox is meant to be so secure, lol).

        You know, my browser directly blocks ads without any third party extensions, so I will profit from the remaining extension ecosystem being less amenable to spyware and scamware. Win win for me.

      4. upp said on June 8, 2023 at 12:48 pm
        Reply

        @Iron Heart Stop being a hypocrite, the main point is that you want browsers to implement MV3 so extensions/addons will automatically worse than Brave’s built-in.

        Google want MV3 because they want to make Adblock worse that’s a fact, no sane person will think that a adblock extension/addon that:

        – Can’t auto-update filter lists
        – Can’t have more than 30k rules

        is better than MV2 adblock.

      5. Iron Heart said on June 8, 2023 at 1:00 pm
        Reply

        @upp

        > Iron Heart Stop being a hypocrite, the main point is that you want browsers to implement MV3 so extensions/addons will automatically worse than Brave’s built-in.

        ???

        No, I don’t. I am just saying that I will low-key profit from less intrusive extensions since my main extension – that would otherwise have used the API in question – is already built-in here. What other browsers do has no impact on me or my usage.

        > no sane person will think

        The question is whether or not I should care. I don’t, because why should I? My browser has built-in adblocking.

      6. Andy Prough said on June 8, 2023 at 2:59 pm
        Reply

        > “no sane person will think”
        >”The question is whether or not I should care. I don’t, because why should I?”

        So you do agree that you fall into the “no sane person” category @Iron Heart?

      7. Iron Heart said on June 8, 2023 at 4:28 pm
        Reply

        @Andy Prough

        > So you do agree that you fall into the “no sane person” category @Iron Heart?

        I feel I fall into “Judges beforehand if a change will even affect me” category of people. If that is the same as not sane, then so be it, I guess.

        I notice that people like you obsess about things they claim they don’t use, like you obsess over Chromium, Andy. Would you call that sane?

      8. Andy Prough said on June 8, 2023 at 6:53 pm
        Reply

        >”like you obsess over Chromium”

        I don’t think that’s accurate, I comment on a lot of articles here, and there happen to be a lot of articles about Chrome/chromium zero-day exploits. Do you think I should only comment on non-Chrome/chromium articles?

        I guess if I was obsessed, I would be the one creating the zero-day exploits and releasing them in the wild, just so that I could come to Ghacks and comment on them and argue with @Iron Heart about whether or not Chrome/chromium is secure. Which – you don’t know – maybe I’m actually doing that.

        Personally, I think Martin should focus more of his writing on Pale Moon and Seamonkey and Netsurf. And some of our obscure GNU/Linux browsers like Luakit and Surf and BadWolf and qutebrowser. THEN we would have some really good discussions. But no, we are stuck here like in an infinite time loop, always talking about the latest Google catastrophes. Ancient Hindus have probably written Vedic Upanishads discussing our infinite Google zero-day exploit discussions.

      9. owl said on June 8, 2023 at 5:48 am
        Reply

        > No end . . . Pre-emptive coding with AI, I should think, would be the end to patch, patch, patch without ever solving the issue.

        Totally agree and can conclude so.
        As you can see from the frequent incidents at the Google Web Store, the root cause is “review and checking by AI”. Mozilla has been able to overcome it because it has changed to “ stop AI review and replace it with human review and check by dedicated reviewers ”. This Mozilla approach is also highly appreciated at Brave.
        https://github.com/brave/brave-browser/issues/15187

      10. Iron Heart said on June 8, 2023 at 8:30 am
        Reply

        @owl

        Except only a tiny minority of extensions are actually getting manually reviewed by Mozilla, but hey, what gives, right? Unimportant detail easily missed, I guess.

      11. Frankel said on June 8, 2023 at 11:15 am
        Reply

        Those with high amounts of users get reviewed by Mozilla.
        Meanwhile Chrome: Extension has 75 million users, unreviewed and malicious.
        What gives? I’m sure a creative strawman will help distracting from facts.

      12. owl said on June 8, 2023 at 8:42 am
        Reply

        @Iron Heart,

        Never: 0
        Do at least (prioritize things that are popular or important): 0<

      13. Anonymous said on June 7, 2023 at 3:43 pm
        Reply

        John G, I fully agree with you w.r.t. Noscript. Do you have an advice to achive the same as Noscript in a more sane manner? I have the impression that Netcraft has some Noscript functionallity, is this true?

      14. John G. said on June 8, 2023 at 3:27 am
        Reply

        @Anonymous, I only use Ublock Origin with Chrome’s “enhanced protection”. It’s more than enough for 99.99% of the whole browsing you will do. I started to use use Ublock Origin in August 2024, so after almost nine years of intense use I can say that this extension is the only one that you will need to browse secure for years and years. I used Netcraft for six months too, however I got really tired about all the ads and false positives and, have I said ads? Anyway everything is better than NoScript, because it’s nonsense to waste at least 15 minutes to configure a site just to see the f****** site. Really paranoid, absurd and as I said, it’s like a terror film.

      15. giovanni said on June 8, 2023 at 1:54 pm
        Reply

        @John G.

        you wrote:
        @giovanni I don’t trust European’s DNS at all…
        @Anonymous, I only use Ublock Origin with Chrome’s “enhanced protection”.

        you have definitely made my day..

        best,

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.