November 30, 2023 at 03:48PM
Google has released an urgent Chrome update to fix six security vulnerabilities, including an actively exploited zero-day flaw (CVE-2023-6345) relating to the Skia graphics library. Spyware risks are implied. Zyxel also patched critical issues affecting NAS devices. Users are urged to promptly update Chrome to mitigate security threats.
Meeting Takeaways:
1. **Google Chrome Security Updates:**
– Six security fixes have been rolled out for Google Chrome.
– An urgent update is needed due to an emergency patch for a zero-day flaw (CVE-2023-6345) with known exploit code.
2. **Details of the Zero-Day Flaw:**
– CVE-2023-6345 is a high-severity integer overflow vulnerability in the Skia graphics library.
– A compromised renderer process is needed by an attacker to exploit the bug, potentially allowing a sandbox escape.
– Google confirms the existence of an exploit for this vulnerability in the wild.
3. **Reporting and Implications:**
– The vulnerability was reported by Benoît Sevens and Clément Lecigne of Google’s Threat Analysis Group (TAG).
– TAG’s involvement suggests possible abuses such as deploying spyware on victims’ machines.
4. **Zyxel Vulnerabilities:**
– Zyxel issued patches for six vulnerabilities, including three critically rated (9.8) ones.
– The notable vulnerabilities are command injection and improper neutralization flaws.
– Affected models NAS326 and NAS542 need a firmware update for patching.
5. **Historical Reference:**
– An integer overflow bug in Apple iMessage was abused in the past for spyware deployment (reference to Pegasus spyware).
6. **Chrome Update Recommendation:**
– Users are advised to update their Chrome browsers immediately to avoid security risks.
7. **Other Chrome Vulnerabilities Addressed:**
– Five other high-severity vulnerabilities were patched, including a type confusion flaw in spellcheck (CVE-2023-6348) and out-of-bounds access in libavif (CVE-2023-6350).
– Three use-after-free flaws patched in Mojo (CVE-2023-6347), WebAudio (CVE-2023-6346), and libavif (CVE-2023-6351).
– No known in-the-wild exploits for these additional issues reported.
Immediate action items following the meeting would be to ensure all Chrome browsers are updated to the latest version to mitigate the risk posed by the identified zero-day flaw and other vulnerabilities. Additionally, users/administrators of the Zyxel products mentioned should apply the firmware updates as directed to protect against the critical vulnerabilities reported.