November 29, 2023 at 12:09PM
Google released an emergency security update for Chrome, patching the sixth zero-day vulnerability of the year, CVE-2023-6345, amid active exploits. Available globally, the update fixes an integer overflow in Skia graphics library. Google restricts exploit details to curb further misuse, especially for unpatched third-party software.
Meeting Takeaways:
1. Google released an emergency security update to address the sixth Chrome zero-day vulnerability of the year, known as CVE-2023-6345, due to its active exploitation in attacks.
2. The company has confirmed the existence of an exploit for CVE-2023-6345 and has commenced a rollout of patched versions globally, targeting both Windows users (versions 119.0.6045.199/.200) and Mac/Linux users (version 119.0.6045.199).
3. The security update’s distribution may take a while to reach all users, but it was already available for instant update when checked by BleepingComputer.
4. Chrome can automatically check for updates and install them upon the next launch, giving users the option to avoid manual updates.
5. The zero-day vulnerability is due to an integer overflow in the Skia 2D graphics library, and it could lead to various risks, including system crashes and arbitrary code execution.
6. Google’s Threat Analysis Group (TAG) researchers, Benoît Sevens and Clément Lecigne, reported the vulnerability.
7. Google TAG has a history of discovering zero-days often used in state-sponsored spyware campaigns against notable targets like journalists and politicians.
8. Details about CVE-2023-6345 will be restricted until most users have updated their browsers. This restriction may be extended if the vulnerability also affects other third-party software that remains unpatched.
9. This restriction is to prevent threat actors from developing exploits based on the technical details of the vulnerability.
10. Other zero-day vulnerabilities that Google has patched earlier this year include CVE-2023-5217, CVE-2023-4863, CVE-2023-3079, CVE-2023-2136, and CVE-2023-2033, as well as a remote code execution bug, CVE-2023-4762, which was patched after being used in spyware attacks.
Note: The story and title have been updated to correctly identify this bug as the sixth actively exploited zero-day vulnerability patched by Google in the current year.