Google Chrome Rolls Out Urgent Security Update to Address 6th Zero-Day Exploit in 2023

November 28, 2023

Google has released an emergency security update to address the sixth zero-day vulnerability discovered in Chrome this year. The company confirmed the existence and ongoing exploitation of this security flaw, known as CVE-2023-6345, in a recent security advisory.

"Google is aware that an exploit for CVE-2023-6345 exists in the wild," the company announced. The vulnerability is now being addressed in the Stable Desktop channel, with patched versions being rolled out globally to Windows (119.0.6045.199/.200), Mac, and Linux (119.0.6045.199) users.

Despite the advisory stating that the security update may take some time to reach all users, it was found to be immediately available upon checking for updates. The web browser will automatically check for and install new updates after the next launch for users who prefer not to manually update.

This high-severity zero-day vulnerability is due to an integer overflow issue within the Skia open-source 2D graphics library. This flaw could lead to a range of risks, from crashes to the execution of arbitrary code. The Skia library is also used as a graphics engine by other products like ChromeOS, Android, and Flutter.

This bug was reported on November 24 by Clément Lecigne, a security researcher with Google's Threat Analysis Group (TAG). Google TAG is recognized for identifying zero-days, which are often exploited by state-sponsored hacking groups in spyware campaigns targeting high-profile individuals such as journalists and opposition politicians.

Google has stated that details of the zero-day may remain restricted until most users have updated their browser. This restriction may be extended if the flaw also affects third-party software that has not yet been patched.

"Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed," the company explained. This strategy aims to minimize the chance of threat actors developing their own exploits for CVE-2023-6345, by limiting access to newly released technical information about the vulnerability.

In September, Google addressed two other zero-days, CVE-2023-5217 and CVE-2023-4863, that were being exploited in attacks. These were the fourth and fifth zero-days addressed since the beginning of 2023.

Related News

• Apple Rolls Out iOS/iPadOS 16.7.1 to Address Zero-Day Vulnerability
• Apple's Emergency Security Update Targets Newly Discovered Zero-Day Vulnerabilities
• Google's October 2023 Security Update for Android Fixes Actively Exploited Zero-days
• Microsoft Patches Zero-Day Vulnerabilities in Edge, Teams, and Skype
• Google Addresses Fifth Actively Exploited Chrome Zero-Day of 2023

Latest News

• Critical ownCloud Vulnerability Under Active Exploitation
• General Electric and DARPA Data Breach Raises National Security Questions
• Healthcare Behemoth Henry Schein Targeted Twice by BlackCat Ransomware
• Rhysida Ransomware Group Claims Attack on China Energy Engineering Corporation
• Critical Security Flaws in ownCloud File Sharing App Could Expose Admin Passwords