Second Google Chrome Zero-Day Bug Actively Exploited in Wild


Recently, Google released an emergency security update to fix another Chrome zero-day vulnerability actively exploited in the wild. This zero-day flaw has been tracked as CVE-2023-2136 and is the second zero-day vulnerability found this year.

In this case, the most exciting development is that Google knows a working exploit for CVE-2023-2136 is already available in the wild.

While Google releases this update through Stable Channel Update for all the major platforms, and here we have mentioned them accordingly:-

  • Windows: 112.0.5615.137/138
  • Mac: 112.0.5615.137 
  • Linux: 112.0.5615.165

This new emergency update from Google for Chrome comes with eight bug fixes.

EHA

  • High CVE-2023-2133: Out-of-bounds memory access in Service Worker API. Reported by Rong Jian of VRI on 2023-03-30
  • High CVE-2023-2134: Out-of-bounds memory access in Service Worker API. Reported by Rong Jian of VRI on 2023-03-30
  • High CVE-2023-2135: Use after free in DevTools. Reported by Cassidy Kim(@cassidy6564) on 2023-03-14
  • High CVE-2023-2136: Integer overflow in Skia. Reported by Clément Lecigne of Google’s Threat Analysis Group on 2023-04-12 (Zero Day)
  • Medium CVE-2023-2137: Heap buffer overflow in SQLite. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Vulnerability Research Institute on 2023-04-05

Besides this, Google asserted that the stable release will soon be available to all users of the above-mentioned platforms in the coming few days or weeks.

Second Google Chrome Zero-Day Bug of this year

This newly detected vulnerability is the second Google Chrome zero-day flaw found this year and has been actively exploited in the wild.

Here below, we have mentioned the details of both zero-day vulnerabilities found this year:-

Here the first one:-

  • CVE ID: CVE-2023-2033
  • Description: It’s a type of Confusion in V8.
  • Severity: HIGH
  • Reporting: It has been reported by Clément Lecigne of Google’s Threat Analysis Group on 2023-04-11.

Here the second one:-

  • CVE ID: CVE-2023-2136 
  • Description: It’s an integer overflow in Skia.
  • Severity: HIGH
  • Reporting: It has been reported by Clément Lecigne of Google’s Threat Analysis Group on 2023-04-12.

Skia, a widely-used open-source 2D graphics library owned by Google and written in C++, has been found to contain this critical vulnerability (CVE-2023-2136). 

This high-severity vulnerability involves an integer overflow and has the potential to cause significant harm to the affected systems.

Skia is an essential component of Chrome’s rendering pipeline, as it offers a wide range of APIs that enable the browser to render:-

  • Graphics
  • Shapes
  • Text
  • Animations
  • Images 

All these features make it a powerful tool for developers, enabling them to create stunning web experiences and deliver high-quality graphics across multiple platforms.

Among the most common software vulnerabilities, integer overflow bugs arise when a given operation generates a value that surpasses the maximum limit for the particular integer type being used. 

Such incidents frequently lead to unintended software behavior, often presenting security threats that can expose the system to unauthorized access or malicious attacks.

“Google is aware that an exploit for CVE-2023-2136 exists in the wild.” Google said.

Besides, Google has not provided further details in the brief to give the users time to patch their vulnerable Chrome versions. Not only that, doing so will also prevent any further exploitation. 

Update Now

To address the actively exploited security issue, the following are the steps that you need to follow to start the manual process of updating Chrome to the latest version:-

Second Google Chrome Zero-Day Bug Actively Exploited in Wild
Google Chrome 112.0
  • First of all, open the Chrome settings menu in the upper right corner.
  • Then you have to select the “Help” option.
  • Now select the “About Google Chrome” option.
  • That’s it; now your Chrome will check for the latest available update and download it.

So, to prevent further exploitation, it’s strongly recommended that users apply the available update as soon as they become available.

Looking For an All-in-One Multi-OS Patch Management Platform – Try Patch Manager Plus



Source link