Google has fixed the sixth Chrome zero-day vulnerability this year in an emergency security update released today to counter ongoing exploitation in attacks.
The company acknowledged the existence of an exploit for the security flaw (tracked as CVE-2023-6345) in a new security advisory published today.
“Google is aware that an exploit for CVE-2023-6345 exists in the wild,” the company said.
The vulnerability is now addressed in the Stable Desktop channel, with patched versions rolling out globally to Windows users (119.0.6045.199/.200) and Mac and Linux users (119.0.6045.199).
Although the advisory says the security update may take days or weeks to reach the entire user base, it was available immediately when BleepingComputer checked for updates earlier today.
The web browser will check for new updates automatically and install them after the next launch for users who don’t want to do it manually.
Likely exploited in spyware attacks
This high-severity zero-day vulnerability stems from an integer overflow weakness within the Skia open-source 2D graphics library, posing risks ranging from crashes to the execution of arbitrary code (Skia is also used as a graphics engine by other products like ChromeOS, Android, and Flutter).
The bug was reported on Friday, November 24, by Benoît Sevens and Clément Lecigne, two security researchers with Google’s Threat Analysis Group (TAG).
Google TAG is known for uncovering zero-days, often exploited by state-sponsored hacking groups in spyware campaigns targeting high-profile individuals like journalists and opposition politicians.
The company says that access to the zero-day’s details might remain restricted until most users have updated their browser, with the limitation to be extended if the flaw also impacts used by third-party software that hasn’t yet been patched.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed,” the company said.
This aims to reduce the likelihood of threat actors developing their own CVE-2023-6345 exploits, taking advantage of newly released technical information on the vulnerability.
In September, Google fixed two other zero-days (tracked as CVE-2023-5217 and CVE-2023-4863) exploited in attacks, the fourth and fifth ones since the start of 2023.
Update: Revised story and title to correctly tag the zero-day as the sixth one patched this year.