Google Patches 8th Chrome Zero-Day Exploited in 2023

December 20, 2023

Google has issued urgent updates to address yet another Chrome zero-day vulnerability that has been exploited in the wild, marking the eighth such vulnerability patched since the year began. The company confirmed in a security advisory published on Wednesday that it is aware of an active exploit for CVE-2023-7024. The zero-day bug was fixed for users in the Stable Desktop channel, with patched versions being distributed globally to Windows users (120.0.6099.129/130) and Mac and Linux users (120.0.6099.129), a day after it was reported to Google. The vulnerability was found and reported by Clément Lecigne and Vlad Stolyarov of Google's Threat Analysis Group (TAG), a team of security experts whose main objective is to protect Google users from state-sponsored attacks.

Google's TAG often uncovers zero-day vulnerabilities exploited by state-sponsored threat actors in targeted attacks designed to install spyware on the devices of high-risk individuals, such as opposition politicians, dissidents, and journalists. Although the security update could take several days or even weeks to reach all users, it was already available when checked for updates. Users who do not wish to manually update can let their web browser automatically check for new updates and install them upon the next launch.

The zero-day vulnerability (CVE-2023-7024) is due to a heap buffer overflow weakness in the open-source WebRTC framework, which many other web browsers and mobile apps use to offer Real-Time Communications (RTC) capabilities via JavaScript APIs. While Google has confirmed that CVE-2023-7024 was exploited as a zero-day in the wild, it has not yet provided further information about these incidents. "Access to bug details and links may be kept restricted until a majority of users are updated with a fix," Google stated. "We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed." This is done to minimize the chance of threat actors developing their own CVE-2023-7024 exploits by stopping them from utilizing newly released technical information.

Earlier, Google patched seven other zero-days exploited in attacks, identified as CVE-2023-6345, CVE-2023-5217, CVE-2023-4863, CVE-2023-3079, CVE-2023-4762, CVE-2023-2136, and CVE-2023-2033. Some of these, like CVE-2023-4762, were labeled as zero-day bugs used to deploy spyware weeks after the company issued patches.

Related News

• CISA Catalogs Exploited Vulnerabilities in ownCloud and Google Chrome
• Google Chrome Rolls Out Urgent Security Update to Address 6th Zero-Day Exploit in 2023
• Apple Rolls Out iOS/iPadOS 16.7.1 to Address Zero-Day Vulnerability
• Apple's Emergency Security Update Targets Newly Discovered Zero-Day Vulnerabilities
• Google's October 2023 Security Update for Android Fixes Actively Exploited Zero-days

Latest News

• Ivanti Patches 13 Critical Security Flaws in Avalanche Enterprise Mobile Device Management Solution
• Cyber Attackers Utilize Old Microsoft Office Vulnerability to Disseminate Spyware
• Critical Vulnerability in WordPress Plugin WP Clone Exposes 90,000 Sites to Potential Cyberattacks
• Comcast's Xfinity Customer Data Breached in CitrixBleed Exploit
• Microsoft Outlook Zero-Click Security Flaws Triggered by Sound File Exploitation