Google has released security upgrades to address seven vulnerabilities in the Chrome browser, one of which is a zero-day that is already being actively exploited in the wild.
The high-severity vulnerability tracked as CVE-2023-6345, has been identified as an integer overflow problem in the open-source 2D graphics package Skia.
On November 24, 2023, BenoĆ®t Sevens and ClĆ©ment Lecigne of Google’s Threat Analysis Group (TAG) are credited for finding and reporting it.
The search engine giant confirmed that “an exploit for CVE-2023-6345 exists in the wild,” as is customary, but it withheld more details on the type of assaults and the threat actors that could be using it as a weapon in actual attacks.
It’s important to keep in mind that Google patched a related integer overflow vulnerability (CVE-2023-2136) in April 2023, which was also actively exploited as a zero-day. This suggests that CVE-2023-6345 may be a workaround for the earlier vulnerability.
CVE-2023-2136, it is claimed, “allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.”
Since the beginning of the year, the tech giant has fixed six zero-days in Chrome with the most recent version.
- CVE-2023-2033 (CVSS score: 8.8) – Type confusion in V8
- CVE-2023-2136 (CVSS score: 9.6) – Integer overflow in Skia
- CVE-2023-3079 (CVSS score: 8.8) – Type confusion in V8
- CVE-2023-4863 (CVSS score: 8.8) – Heap buffer overflow in WebP
- CVE-2023-5217 (CVSS score: 8.8) – Heap buffer overflow in vp8 encoding in libvpx
To reduce possible risks, users are advised to update to Chrome version 119.0.6045.199/.200 for Windows and 119.0.6045.199 for macOS and Linux. It’s also recommended that users of Chromium-based browsers like Vivaldi, Microsoft Edge, Brave, Opera, and Opera update the changes as soon as they become available.
