A zero-day vulnerability that is being actively exploited in the wild is among the seven security flaws in Google’s Chrome browser that have been fixed by security updates.
The open-source 2D graphics library Skia has an integer overflow bug that has been identified as a high-severity vulnerability, tracked as CVE-2023-6345.
Credit for finding and reporting the vulnerability on November 24, 2023, goes to Google Threat Analysis Group (TAG) members Benoît Sevens and Clément Lecigne.
As usual, the search engine behemoth admitted that “an exploit for CVE-2023-6345 exists in the wild,” but it withheld further details about the type of attacks and the threat actors who might be using it as a weapon in actual operations.
The fact that Google issued patches in April 2023 for a related integer overflow vulnerability in the same component (CVE-2023-2136) that had also been actively exploited as a zero-day raises the possibility that CVE-2023-6345 is a patch bypass for the earlier vulnerability.
Together with researchers from Citizen Lab, Google TAG also revealed on Friday that Cytrox’s Predator spyware was installed between May and September 2023 using three zero-day vulnerabilities that Apple had patched last Thursday.
Google has disclosed that attacks had taken advantage of the CVE-2023-5217 zero-day, but it has not provided any further details about these occurrences.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Google stated. “We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven’t yet fixed.”
Utilized in malware assaults
The open-source libvpx video codec library’s VP8 encoding contains a heap buffer overflow vulnerability that leads to a high-severity zero-day vulnerability (CVE-2023-5217) with the potential to cause arbitrary code execution or app crashes.
On Monday, September 25, security researcher Clément Lecigne of Google Threat Analysis Group (TAG) reported the bug.
Google TAG researchers have a reputation for frequently identifying and disclosing zero-day vulnerabilities that are exploited in deliberate spyware attacks by government-sponsored threat actors and hacker groups that target vulnerable people like opposition politicians and journalists.
Users of Google Chrome will therefore have ample time to update their browsers in order to guard against any potential attacks.
CVE-2023-2136 is believed to have “allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.”
According to Maddie Stone of Google TAG, spyware was installed using the CVE-2023-5217 zero-day vulnerability.
As more technical information becomes available, this proactive approach can help reduce the likelihood that threat actors will develop their own exploits and use them in actual situations.
Two weeks ago, Google resolved the fourth zero-day exploited in the wild since the year’s beginning (tracked as CVE-2023-4863).
To reduce possible threats, users are advised to update to Chrome version 119.0.6045.199/.200 for Windows and 119.0.6045.199 for macOS and Linux. It is also recommended that users of browsers that use the Chromium platform, such as Microsoft Edge, Brave, Opera, and Vivaldi, install the updates as soon as they become available.