Google has released security updates for its Chrome browser, addressing a total of seven vulnerabilities. Among these vulnerabilities is a zero-day vulnerability that has been actively exploited by attackers.
The specific vulnerability, designated as CVE-2023-6345, is a serious bug in SKIA, an open library of 2D graphics. The vulnerability, which allows for an integrated overflow, was discovered by Benois Sevens and Cleman Lesin from Google’s threat analysis group on November 24, 2023.
While Google has confirmed the existence of an exploit for CVE-2023-6345, the company has not provided details about the specific attacks or threats associated with its use.
Interestingly, back in April 2023, Google had already released a patch for a similar vulnerability, CVE-2023-2136, which was also being actively exploited. It is possible that CVE-2023-6345 can bypass this previous patch.
CVE-2023-2136 allowed remote attackers to compromise the rendering process and potentially escape the sandbox by utilizing a specially crafted HTML page.
To date, Google has addressed a total of seven zero-day vulnerabilities in Chrome this year. These include:
- CVE-2023-2033 (CVSS: 8.8 rating) – Confusion of types in V8
- CVE-2023-2136 (CVSS: 9.6 rating) – Integer overflow in SKIA
- CVE-2023-3079 (CVSS: 8.8 rating) – Confusion of types in V8
- CVE-2023-4762 (CVSS: 8.8 rating) – Confusion of types in V8
- CVE-2023-4863 (CVSS: 8.8 rating) – Buffer overflow in Webp
- CVE-2023-5217 (CVSS: 8.8 rating) – Buffer overflow VP8 in LIBVPX
Users are strongly advised to update to the latest version of Chrome (119.0.6045.199/200 for Windows and 119.0.6045.199 for MacOS and Linux) to protect themselves against potential threats. Additionally, users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi should update their browsers as soon as the corresponding updates become available.