A zero-day alert has been reported, exploiting a vulnerability in Google Chrome and remaining active in the wild.
What happened
Google recently released seven updates to fix security issues in its Chrome browser. While most of the security issues were resolved, one remains a zero-day vulnerability, meaning that Google had no time to prepare for the attack, and not all users are fully protected.
This vulnerability is considered high-severity, as it could potentially impact some of Chrome's 3.2 billion users.
The vulnerability, discovered by Benoit Sevens and Clement Lecigne of Google's Threat Analysis Group (TAG), is tracked as CVE-2023-6345 and was initially discovered on November 24th.
Google has released a Chrome update, urging individuals to install the latest browser as soon as possible.
Read more: What is a zero-day event?
Going deeper
Google has released minimal information regarding the zero-day vulnerability, except acknowledging that it currently exists in the wild. This means the malware is active and can still be found on user devices–specifically those who do not have the Chrome security update.
Users without the newest update may find their data at risk.
In their security release, Google noted that "access to bug details and links may be kept restricted until a majority of users are updated with a fix." The release further added that Google will "retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed."
Little information will likely be released as Google works to fully patch the vulnerability. With past zero-day vulnerabilities, Google has tended to keep information close to the chest,
The vulnerability has been described as an integer overflow bug in Skia, an open-source 2D graphics library used by Chrome's graphics engine.
Why it matters
According to one report, Google released a patch for a similar flaw in April, which had been tracked as CVE-2023-2136. The most recent vulnerability may be a result of the patch being bypassed.
Since the beginning of this year, Google has now addressed 6 zero-day vulnerabilities. Zero-day vulnerabilities continue to be on the rise and showcase the importance of organizations prioritizing preparation and continuous monitoring of their networks.
Related: HIPAA Compliant Email: The Definitive Guide
The big picture
Outside of the zero-day vulnerability, Google released six other updates to address security issues.
One update related to general ongoing internal security efforts. Three of the vulnerabilities were Use-After-Free, which occurs when a vulnerability allows for code to be substituted by an attacker.
Another vulnerability was Out-of-Bounds, which occurs when software alters memory. The sixth update resolved a Type Confusion vulnerability, where a resource is unable to be accessed, leading to a logical error.
None of the aforementioned vulnerabilities were as severe as the overflow bug in Skia, but they still posed potential risks.
As Google continues to resolve the zero-day vulnerability, we will likely learn of affected users and the impact the attack may have on Google.
Abby Grifno
