The Information Highway

The Information Highway

Font size: +
2 minutes reading time (433 words)

Google Chrome emergency update fixes 6th zero-day exploited in 2023

Google has fixed the sixth Chrome zero-day vulnerability this year in an emergency security update released today to counter ongoing exploitation in attacks. 

The company acknowledged the existence of an exploit for the security flaw (tracked as CVE-2023-6345) in a new security advisory published today.

"Google is aware that an exploit for CVE-2023-6345 exists in the wild," the company said

The vulnerability has been addressed in the Stable Desktop channel, with patched versions rolling out globally to Windows users (119.0.6045.199/.200) and Mac and Linux users (119.0.6045.199).

Although the advisory notes that the security update may take days or weeks to reach the entire user base, it was available immediately when checked for updates earlier today.

Users who don't want to update manually can rely on the web browser to check for new updates automatically and install them after the next launch.

Likely exploited in spyware attacks

This high-severity zero-day vulnerability stems from an integer overflow weakness within the Skia open-source 2D graphics library, posing risks ranging from crashes to the execution of arbitrary code (Skia is also used as a graphics engine by other products like ChromeOS, Android, and Flutter).

The bug was reported on Friday, November 24, by Benoît Sevens and Clément Lecigne, two security researchers with Google's Threat Analysis Group (TAG).

Google TAG is known for uncovering zero-days, often exploited by state-sponsored hacking groups in spyware campaigns targeting high-profile individuals like journalists and opposition politicians.

The company has stated that access to the zero-day's details will remain restricted until most users have updated their browsers. If the flaw also affects third-party software that hasn't been patched yet, then the limitation on access to bug details and links will be extended. 

"Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed," the company said.

This aims to reduce the likelihood of threat actors developing their own CVE-2023-6345 exploits, taking advantage of newly released technical information on the vulnerability.

In September, Google fixed two other zero-days (tracked as CVE-2023-5217 and CVE-2023-4863) exploited in attacks, the fourth and fifth ones since the beginning of 2023.

Previously, the company released security updates for CVE-2023-3079, CVE-2023-2136, and CVE-2023-2033. Google TAG also tagged a remote code execution bug (CVE-2023-4762) as a zero-day after discovering its use in spyware attacks, weeks after it was patched in early September.

New BLUFFS attack lets attackers hijack Bluetooth ...
Qilin ransomware claims attack on automotive giant...

Related Posts

 

Comments

No comments made yet. Be the first to submit a comment
Monday, 23 December 2024

Captcha Image

Top Breaches Of 2023

Customers Affected In T-Mobile Breach
Accounts Affected In MOVEit Breach
Customers Affected In MCNA Insurance Data Breach
Individuals Affected In PharMerica Data Breach
Users Affected In ChatGPT Major Data Breach
*Founder Shield End of Year 2023