Google fixes 8th Chrome zero-day exploited in attacks this year


Google has released emergency updates to fix another Chrome zero-day vulnerability exploited in the wild, the eighth patched since the start of the year.

“Google is aware that an exploit for CVE-2023-7024 exists in the wild,” a security advisory published Wednesday said.

The company fixed the zero-day bug for users in the Stable Desktop channel, with patched versions rolling out worldwide to Windows users (120.0.6099.129/130) and Mac and Linux users (120.0.6099.129) one day after being reported to Google.

​​​The bug was discovered and reported by Clément Lecigne and Vlad Stolyarov of Google’s Threat Analysis Group (TAG), a collective of security experts whose primary goal is to defend Google customers from state-sponsored attacks.

Google’s Threat Analysis Group (TAG) frequently discovers zero-day bugs exploited by government-sponsored threat actors in targeted attacks aiming to deploy spyware on the devices of high-risk individuals, including opposition politicians, dissidents, and journalists.

Even though the security update could take days or weeks to reach all users, according to Google, it was available immediately when BleepingComputer checked for updates earlier today.

Individuals who prefer not to update manually can rely on their web browser to automatically check for new updates and install them upon the next launch.

CVE-2023-7024 tweet

Eighth Chrome zero-day patched this year

The high-severity zero-day vulnerability (CVE-2023-7024) is due to a heap buffer overflow weakness in the open-source WebRTC framework many other web browsers, such as Mozilla Firefox, Safari, and Microsoft Edge, to provide Real-Time Communications (RTC) capabilities (e.g., video streaming, file sharing, and VoIP telephony) via JavaScript APIs.

While Google knows that CVE-2023-7024 was exploited as a zero-day in the wild, it has yet to share further details regarding these incidents.

“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Google said.

“We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.”

This aims to reduce the likelihood of threat actors developing their own CVE-2023-7024 exploits by preventing them from taking advantage of newly released technical information.

Previously, Google patched seven other zero-days exploited in attacks, tracked as CVE-2023-6345, CVE-2023-5217, CVE-2023-4863, CVE-2023-3079, CVE-2023-4762, CVE-2023-2136, and CVE-2023-2033.

Some of them, like CVE-2023-4762, were tagged as zero-day bugs used to deploy spyware weeks after the company released patches.





Source link