Google has released an urgent security update to fix a number of vulnerabilities in Chrome browser, including a zero-day vulnerability (CVE-2023-6345) that is being actively exploited in the wild.
About CVE-2023-6345
CVE-2023-6345, reported by Benoît Sevens and Clément Lecigne of Google’s Threat Analysis Group, is due to an integer overflow in Skia – an open source 2D graphics library commonly used as a graphics engine for Google Chrome, ChromeOS, Android, Flutter, and others.
The company says that the vulnerability is being exploited by attackers, but will not be sharing further details until most users have applied the update.
“We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed,” the company noted.
The other vulnerabilities fixed this time around are:
- CVE-2023-6348 – Type confusion in Spellcheck
- CVE-2023-6347 – Use after free in Mojo
- CVE-2023-6346 – Use after free in WebAudio
- CVE-2023-6350 – Out of bounds memory access in libavif
- CVE-2023-6351 – Use after free in libavif
The company has addressed the vulnerabilities in the Stable channel and users are advised to update to versions 119.0.6045.199 for Mac and Linux and 119.0.6045.199/.200 for Windows, which will roll out over the coming days/weeks.
Exploited Chrome zero days
Google has recently had to fix several zero days in its Chrome browser that have been actively exploited in the wild.
One of those is CVE-2023-4863, a critical heap buffer overflow vulnerability that was initially stated to be in Chrome, but eventually re-classified and described as a vulnerability in the libwebp library (used by Chrome and many other software).
In late September, Google fixed another heap buffer overflow vulnerability (CVE-2023-5217), this time in vp8 encoding in libvpx – a Google and AOMedia video codec library.