Google released an update for Chrome 117 with 10 new security fixes, including one for a vulnerability that is known to have already been exploited. The update addresses a new actively exploited zero-day vulnerability that could lead to program crashes or arbitrary code execution.
Google has released a number of security updates to fix zero-day vulnerabilities in Chrome:
- CVE-2023-4863: A zero-day heap buffer overflow vulnerability in Google Chrome’s WebP
- CVE-2023-6345: A zero-day vulnerability that is being actively exploited in the wild
To avoid your system being left exposed, you can manually update to the latest version of Chrome:
- Mac and Linux: 119.0.6045.199
- Windows: 119.0.6045.199/.200
As is typically the case, the search giant acknowledged that “an exploit for CVE-2023-6345 exists in the wild,” but stopped short of sharing additional information surrounding the nature of attacks and the threat actors that may be weaponizing it in real-world attacks.
It’s worth noting that Google released patches for a similar integer overflow flaw in the same component (CVE-2023-2136) in April 2023 that had also come under active exploitation as a zero-day, raising the possibility that CVE-2023-6345 could be a patch bypass for the former.
CVE-2023-2136 is said to have “allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.”
With the latest update, the tech giant has addressed a total of seven zero-days in Chrome since the start of the year –
- CVE-2023-2033 (CVSS score: 8.8) – Type confusion in V8
- CVE-2023-2136 (CVSS score: 9.6) – Integer overflow in Skia
- CVE-2023-3079 (CVSS score: 8.8) – Type confusion in V8
- CVE-2023-4762 (CVSS score: 8.8) – Type confusion in V8
- CVE-2023-4863 (CVSS score: 8.8) – Heap buffer overflow in WebP
- CVE-2023-5217 (CVSS score: 8.8) – Heap buffer overflow in vp8 encoding in libvpx
Users are recommended to upgrade to Chrome version 119.0.6045.199/.200 for Windows and 119.0.6045.199 for macOS and Linux to mitigate potential threats. Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.