Google Patches Another Chrome Zero-Day as Browser Attacks Mount

  /     /     /  
Publicated : 23/11/2024   Category : security


Google Patches Another Chrome Zero-Day as Browser Attacks Mount


The vulnerability is among a rapidly growing number of zero-day bugs that major browser vendors have reported recently.



For the fourth time since August, Google has disclosed a bug in its Chrome browser technology that attackers were actively exploiting in the wild before the company had a fix for it.
The latest zero-day, which Google is tracking as
CVE-2023-6345
, stems from an integer overflow issue in Skia, an open source 2D graphic library in Chrome. The bug is one of seven Chrome vulnerabilities for which Google issued a security update this week.
The companys
advisory
contained sparse details on CVE-2023-6345 beyond mentioning the fact that an exploit for it is publicly available. A brief description on NISTs National Vulnerability Database (NVD) site
described the flaw
as affecting versions of Chrome prior to 119.0.6045.199 and allowing a remote attacker who has compromised the renderer process to potentially perform a sandbox escape via a malicious file. The NVD identified the bug as a high-severity issue.
Google credited researchers at its Threat Analysis Group for finding and reporting CVE-2023-6345 on Nov. 24.
The vulnerability is the seventh zero-day that Google has rushed to patch amid active exploit activity this year and is the latest manifestation of growing attacker interest in Chrome and other browsers.
Since the beginning of this year, Apple, Google, Microsoft, and Firefox have all disclosed multiple critical vulnerabilities in their respective browsers, including a handful of zero-days. In some instances, a bug in some widely used component affected multiple browsers at once, as was the case with
CVE-2023-4863
, a zero-day heap overflow in WebP, a code library common to Chrome, Apple Safari, and Mozilla Firefox. In other instances, as with
CVE-2023-5217
, a zero-day bug in Chrome impacted multiple browsers based on Chromium technology, such as Microsoft Edge, Opera, Brave, and Vivaldi.
There were also multiple zero-days that Apple disclosed separately this year in its WebKit browser engine for Safari, including
CVE-2023-28205 
and three others in May:
CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373
. Both Microsoft and Mozilla have also separately reported other critical bugs in their respective browsers.
It is unclear which threat actor might be currently exploiting CVE-2023-6345, the bug that Google disclosed this week, or why. But in recent months, Google and Apple have warned about vendors of commercial surveillance products exploiting zero-day bugs in their respective browser technologies
to drop spyware
on Android, iOS, and other mobile devices. Google discovered CVE-2023-4863 after researchers at Apple and Toronto University Citizen Lab informed the company about a commercial vendor using the flaw to drop Predator spyware on Android and iOS devices.
Much of the growing attacker interest in browsers has to do with their ubiquitous use, says Lionel Litty, chief security architect at Menlo Security. The exploding use of Web applications has resulted in users spending most of their time on browsers for everything from accessing applications and webpages to additional content such as PDFs and other documents. Adding to this is the drive by Google to integrate even more features into its browser and make it a replacement for fat client technologies, Litty says. This includes enabling access to USB devices, Bluetooth, and even the GPU through the WebGPU interface.
Despite all the care taken by Google engineers, we continue to see a steady stream of security issues that are exploitable, including many zero-days that are actually exploited, he says.
The fact that multiple browsers are based on Chromium is another reason for attackers targeting the technology, Litty notes. Developing an exploit against Chrome usually means that it will work against all browsers, save Safari and Firefox, allowing bad actors to target more victims without any additional work.
Saeed Abbasi, manager of vulnerability and threat research at Qualys, points to similar reasons for Chromes growing popularity among threat actors. Additionally, the high commercial value of exploiting a widely used platform like Chrome attracts sophisticated attackers, including those backed by state sponsors, he says.
More generally, browser vulnerabilities present significant risks for organizations, Abbasi says. Attackers can use browser bugs to sneak malware and spyware into an organization. Additionally, attackers might exploit these weaknesses to steal login credentials and other data for potential future attacks.
To mitigate risks from browser vulnerabilities, organizations should prioritize regular updates and patch management to keep browsers up to date, Abbasi notes. Implementing network segmentation can restrict browser access to sensitive areas, reducing breach impacts.

Last News

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security

▸ Senate wants changes to cybercrime law. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Google Patches Another Chrome Zero-Day as Browser Attacks Mount