In response to ongoing attacks exploiting a security vulnerability, Google released a security patch on 28th November, effectively addressing the sixth zero-day flaw in the Chrome browser this year. The company has officially acknowledged the existence of an exploit for the identified security flaw, tracked as CVE-2023-6345, in a recently published security advisory.
The Zero-Day Vulnerability CVE-2023-6345: This newly patched high-severity zero-day vulnerability is rooted in an integer overflow vulnerability within the Skia open-source 2D graphics library. Skia, a graphics engine for products such as ChromeOS, Android, and Flutter, makes this vulnerability particularly impactful. The risks associated with this flaw range from system crashes to the potential execution of arbitrary code.
This flaw was discovered by Benoît Sevens and Clément Lecigne, security researchers at Google’s Threat Analysis Group (TAG), the bug was reported on 28th November. Google has taken precautionary measures by restricting access to bug details and links until most users have updated their Chrome browsers. This approach aims to minimize the risk of threat actors exploiting the vulnerability based on the released technical information.
Updated Patch Addresses The Below Vulnerabilities Along With CVE-2023-6345
• CVE-2023-6348: Type Confusion in Spellcheck
• CVE-2023-6347: Use after free in Mojo
• CVE-2023-6346: Use after free in WebAudio
• CVE-2023-6350: Out-of-bounds memory access in libavif
• CVE-2023-6351: Use after free in libavif
Chrome’s Zero-Day Vulnerabilities Addressed In 2023: With this recent emergency update, Google has now addressed a total of six zero-day vulnerabilities in Chrome since the beginning of the year. The list includes:
- CVE-2023-2033 (CVSS score: 8.8) – Type confusion in V8
- CVE-2023-2136 (CVSS score: 9.6) – Integer overflow in Skia
- CVE-2023-3079 (CVSS score: 8.8) – Type confusion in V8
- CVE-2023-4863 (CVSS score: 8.8) – Heap buffer overflow in WebP
- CVE-2023-5217 (CVSS score: 8.8) – Heap buffer overflow in vp8 encoding in libvpx
Affected Products
Google Chrome version before 119.0.6045.199.
Solution
Google has released Chrome version 119.0.6045.199 for macOS and Linux and 119.0.6045.199/.200 for Windows.
SanerNow detects these vulnerabilities and automatically fixes them through patch management by applying security updates. We strongly recommend applying the security updates as soon as possible.