New York | November 28, 2023 – In a swift and strategic move, Google has swiftly addressed the sixth zero-day vulnerability in Chrome for this year. Today’s emergency security update aims to swiftly counter the ongoing exploitation observed in recent attacks.
Acknowledging the existence of a security loophole, tracked as CVE-2023-6345, Google published a new security advisory highlighting the exploit.
The fix has been promptly rolled out in the Stable Desktop channel. Patched versions are now being globally distributed to Windows users (versions 119.0.6045.199/.200) and to Mac and Linux users (version 119.0.6045.199).
While the advisory indicates that the complete user base might take days or even weeks to receive the security update, it was readily available when BleepingComputer checked for updates earlier today.
For users preferring not to update manually, the browser offers an automated update check that installs the patches upon the next launch.
This high-severity zero-day vulnerability originates from an integer overflow flaw within the Skia open-source 2D graphics library. Its risks range from potential crashes to the execution of arbitrary code. Notably, Skia is employed as a graphics engine in other products like ChromeOS, Android, and Flutter.
Initially reported on Friday, November 24, by Google’s Threat Analysis Group (TAG) members Benoît Sevens and Clément Lecigne, this vulnerability highlights TAG’s consistent role in uncovering zero-days, often utilized in espionage campaigns targeting prominent figures such as journalists and political opposition members.
Google has taken a cautious approach by restricting access to the zero-day’s technical details until a majority of users update their browsers. If the vulnerability affects third-party software yet to be patched, access to bug details will remain restricted to mitigate the potential creation of CVE-2023-6345 exploits by threat actors.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed,” the company said.
Earlier this year, Google successfully addressed two other zero-days, CVE-2023-5217 and CVE-2023-4863, exploited in attacks, marking the fourth and fifth such fixes in 2023.