November 29, 2023 at 08:36AM
Google has patched a zero-day vulnerability (CVE-2023-6345) impacting Chrome, involving an integer overflow in Skia graphics engine. Acknowledging active exploitation, Google’s update also fixes five other high-risk bugs, and issues $55,000 in bug bounties. This marks the seventh Chrome zero-day addressed in the year. Chrome version 119.0.6045.199/200 is being rolled out with these fixes.
Meeting Takeaways:
1. Google announced a security update for a zero-day vulnerability in the Chrome browser on Tuesday.
2. The vulnerability is identified as CVE-2023-6345, an integer overflow in the Skia graphics library.
3. Google is aware of an existing exploit for CVE-2023-6345 but has not shared exploitation details.
4. The vulnerability was reported by Benoît Sevens and Clément Lecigne from Google’s Threat Analysis Group (TAG).
5. Google TAG has previously identified several zero-day vulnerabilities indicating commercial surveillance software vendors’ involvement.
6. The Chrome update also addresses five other high-severity vulnerabilities involving Mojo, WebAudio, libavif, Spellcheck, and another bug in libavif.
7. Bounty rewards totaling $55,000 were distributed, with the largest single reward being $31,000 for CVE-2023-6347 reported by researchers from the 360 Vulnerability Research Institute.
8. As per Google’s policy, no rewards were issued for the Spellcheck and Skia flaws, as they were reported by Google’s own teams.
9. CVE-2023-6345 is the seventh Chrome zero-day addressed in the year, and the update patches previous zero-days including CVE-2023-5217 and CVE-2023-4762, among others.
10. An exploit for CVE-2023-4762 likely existed before its patch in September, which Google acknowledged after releasing the fix.
11. The Chrome update has been released and is rolling out to users as version 119.0.6045.199 for macOS and Linux, and versions 119.0.6045.199/.200 for Windows.
Related information:
– A password-stealing Chrome extension showcases new vulnerabilities.
– High-severity memory corruption threats have been patched in both Firefox and Chrome.
– Google awarded over $60,000 for vulnerabilities in the V8 engine patched with the Chrome 115 update.