Google has recently implemented security updates for its Chrome browser to address seven vulnerabilities, including a zero-day exploit that is actively being used in attacks.
The most critical of these, identified as CVE-2023-6345, is a high-severity integer overflow issue in Skia, a widely used open source 2D graphics engine. This flaw was discovered and reported by Benoît Sevens and Clément Lecigne from Google’s Threat Analysis Group on November 24, 2023.
Although Google confirmed the existence of an exploit for CVE-2023-6345, they have not disclosed detailed information about the nature of the attacks or the identity of the attackers.
Interestingly, a similar vulnerability in Skia, designated CVE-2023-2136, was patched in April 2023. This previous bug, also exploited as a zero-day, allowed attackers to escape the browser’s sandbox protection using a specially crafted HTML page. The new CVE-2023-6345 vulnerability raises concerns about whether it is a workaround for the earlier patch.
In total, Google has fixed six zero-day vulnerabilities in Chrome this year:
- CVE-2023-2033 (Type confusion in V8, CVSS score: 8.8)
- CVE-2023-2136 (Integer overflow in Skia, CVSS score: 9.6)
- CVE-2023-3079 (Type confusion in V8, CVSS score: 8.8)
- CVE-2023-4863 (Heap buffer overflow in WebP, CVSS score: 8.8)
- CVE-2023-5217 (Heap buffer overflow in vp8 encoding in libvpx, CVSS score: 8.8)
Users are urged to update to Chrome version 119.0.6045.199/.200 for Windows and 119.0.6045.199 for macOS and Linux. Those using Chromium-based browsers like Microsoft Edge, Brave, Opera, and Vivaldi should also apply these security updates as they become available to stay protected against potential threats.