Google Chrome Rolls Out Urgent Security Update to Address 6th Zero-Day Exploit in 2023

November 28, 2023

Google has released an emergency security update to address the sixth zero-day vulnerability discovered in Chrome this year. The company confirmed the existence and ongoing exploitation of this security flaw, known as CVE-2023-6345, in a recent security advisory.

"Google is aware that an exploit for CVE-2023-6345 exists in the wild," the company announced. The vulnerability is now being addressed in the Stable Desktop channel, with patched versions being rolled out globally to Windows (119.0.6045.199/.200), Mac, and Linux (119.0.6045.199) users.

Despite the advisory stating that the security update may take some time to reach all users, it was found to be immediately available upon checking for updates. The web browser will automatically check for and install new updates after the next launch for users who prefer not to manually update.

This high-severity zero-day vulnerability is due to an integer overflow issue within the Skia open-source 2D graphics library. This flaw could lead to a range of risks, from crashes to the execution of arbitrary code. The Skia library is also used as a graphics engine by other products like ChromeOS, Android, and Flutter.

This bug was reported on November 24 by Clément Lecigne, a security researcher with Google's Threat Analysis Group (TAG). Google TAG is recognized for identifying zero-days, which are often exploited by state-sponsored hacking groups in spyware campaigns targeting high-profile individuals such as journalists and opposition politicians.

Google has stated that details of the zero-day may remain restricted until most users have updated their browser. This restriction may be extended if the flaw also affects third-party software that has not yet been patched.

"Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed," the company explained. This strategy aims to minimize the chance of threat actors developing their own exploits for CVE-2023-6345, by limiting access to newly released technical information about the vulnerability.

In September, Google addressed two other zero-days, CVE-2023-5217 and CVE-2023-4863, that were being exploited in attacks. These were the fourth and fifth zero-days addressed since the beginning of 2023.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.