Google has released security upgrades to address seven vulnerabilities in the Chrome browser, one of which is a zero-day that is already being actively exploited in the wild.
The high-severity vulnerability tracked as CVE-2023-6345, has been identified as an integer overflow problem in the open-source 2D graphics package Skia.
On November 24, 2023, Benoît Sevens and Clément Lecigne of Google’s Threat Analysis Group (TAG) are credited for finding and reporting it.
The search engine giant confirmed that “an exploit for CVE-2023-6345 exists in the wild,” as is customary, but it withheld more details on the type of assaults and the threat actors that could be using it as a weapon in actual attacks.
It’s important to keep in mind that Google patched a related integer overflow vulnerability (CVE-2023-2136) in April 2023, which was also actively exploited as a zero-day. This suggests that CVE-2023-6345 may be a workaround for the earlier vulnerability.
CVE-2023-2136, it is claimed, “allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.”
Since the beginning of the year, the tech giant has fixed six zero-days in Chrome with the most recent version.
- CVE-2023-2033 (CVSS score: 8.8) – Type confusion in V8
- CVE-2023-2136 (CVSS score: 9.6) – Integer overflow in Skia
- CVE-2023-3079 (CVSS score: 8.8) – Type confusion in V8
- CVE-2023-4863 (CVSS score: 8.8) – Heap buffer overflow in WebP
- CVE-2023-5217 (CVSS score: 8.8) – Heap buffer overflow in vp8 encoding in libvpx
To reduce possible risks, users are advised to update to Chrome version 119.0.6045.199/.200 for Windows and 119.0.6045.199 for macOS and Linux. It’s also recommended that users of Chromium-based browsers like Vivaldi, Microsoft Edge, Brave, Opera, and Opera update the changes as soon as they become available.