The Hacker NewsTHN:D8B9F915AC50E9F640AEE83810C2F3CCUrgent: New Chrome Zero-Day Vulnerability Exploited in the Wild - Update ASAP
9.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
9.6 High
AI Score
Confidence
High
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.41 Medium
EPSS
Percentile
96.9%
Google has rolled out security updates for the Chrome web browser to address a high-severity zero-day flaw that it said has been exploited in the wild.
The vulnerability, assigned the CVE identifier CVE-2023-7024, has been described as a heap-based buffer overflow bug in the WebRTC framework that could be exploited to result in program crashes or arbitrary code execution.
Clément Lecigne and Vlad Stolyarov of Google’s Threat Analysis Group (TAG) have been credited with discovering and reporting the flaw on December 19, 2023.
No other details about the security defect have been released to prevent further abuse, with Google acknowledging that “an exploit for CVE-2023-7024 exists in the wild.”
Given that WebRTC is an open-source project and that it’s also supported by Mozilla Firefox and Apple Safari, it’s currently not clear if the flaw has any impact beyond Chrome and Chromium-based browsers.
The development marks the resolution of the eighth actively exploited zero-day in Chrome since the start of the year -
- CVE-2023-2033 (CVSS score: 8.8) - Type confusion in V8
- CVE-2023-2136 (CVSS score: 9.6) - Integer overflow in Skia
- CVE-2023-3079 (CVSS score: 8.8) - Type confusion in V8
- CVE-2023-4762 (CVSS score: 8.8) - Type confusion in V8
- CVE-2023-4863 (CVSS score: 8.8) - Heap buffer overflow in WebP
- CVE-2023-5217 (CVSS score: 8.8) - Heap buffer overflow in vp8 encoding in libvpx
- CVE-2023-6345 (CVSS score: 9.6) - Integer overflow in Skia
A total of 26,447 vulnerabilities have been disclosed so far in 2023, surpassing the previous year by over 1,500 CVEs, according to data compiled by Qualys, with 115 flaws exploited by threat actors and ransomware groups.
Remote code execution, security feature bypass, buffer manipulation, privilege escalation, and input validation and parsing flaws emerged as the top vulnerability types.
Users are recommended to upgrade to Chrome version 120.0.6099.129/130 for Windows and 120.0.6099.129 for macOS and Linux to mitigate potential threats.
Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Related
9.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
9.6 High
AI Score
Confidence
High
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.41 Medium
EPSS
Percentile
96.9%