Lucene search

The Hacker NewsTHN:A0F5B60897C100113027B4B7AD53709E

HistoryNov 29, 2023 - 4:27 a.m.

Zero-Day Alert: Google Chrome Under Active Attack, Exploiting New Vulnerability

2023-11-2904:27:00

The Hacker News

thehackernews.com

146

google chrome

zero-day

exploit

patch

security

vulnerability

integer overflow

skia

google threat analysis group

cve-2023-6345

cve-2023-2136

cve-2023-2033

cve-2023-3079

cve-2023-4762

cve-2023-4863

cve-2023-5217

cvss score

browser

upgrade

windows

macos

linux

chromium-based

microsoft edge

brave

opera

vivaldi

active exploitation

threat mitigation

9.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

9.2 High

AI Score

Confidence

High

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.41 Medium

EPSS

Percentile

96.9%

JSON

Google has rolled out security updates to fix seven security issues in its Chrome browser, including a zero-day that has come under active exploitation in the wild.

Tracked as CVE-2023-6345, the high-severity vulnerability has been described as an integer overflow bug in Skia, an open source 2D graphics library.

Benoît Sevens and Clément Lecigne of Google’s Threat Analysis Group (TAG) have been credited with discovering and reporting the flaw on November 24, 2023.

As is typically the case, the search giant acknowledged that “an exploit for CVE-2023-6345 exists in the wild,” but stopped short of sharing additional information surrounding the nature of attacks and the threat actors that may be weaponizing it in real-world attacks.

It’s worth noting that Google released patches for a similar integer overflow flaw in the same component (CVE-2023-2136) in April 2023 that had also come under active exploitation as a zero-day, raising the possibility that CVE-2023-6345 could be a patch bypass for the former.

CVE-2023-2136 is said to have “allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.”

With the latest update, the tech giant has addressed a total of seven zero-days in Chrome since the start of the year -

CVE-2023-2033 (CVSS score: 8.8) - Type confusion in V8
CVE-2023-2136 (CVSS score: 9.6) - Integer overflow in Skia
CVE-2023-3079 (CVSS score: 8.8) - Type confusion in V8
CVE-2023-4762 (CVSS score: 8.8) - Type confusion in V8
CVE-2023-4863 (CVSS score: 8.8) - Heap buffer overflow in WebP
CVE-2023-5217 (CVSS score: 8.8) - Heap buffer overflow in vp8 encoding in libvpx

Users are recommended to upgrade to Chrome version 119.0.6045.199/.200 for Windows and 119.0.6045.199 for macOS and Linux to mitigate potential threats. Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.

(The story was updated after publication to include information about active exploitation of CVE-2023-4762.)

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.