Google Releases Eighth Zero-Day Patch of 2023 for Chrome

  /     /     /  
Publicated : 23/11/2024   Category : security


Google Releases Eighth Zero-Day Patch of 2023 for Chrome


CVE-2023-7024, exploited in the wild prior to patching, is a Chrome vulnerability that allows remote code execution within the browsers WebRTC component.



Google has issued an urgent update to address a recently discovered vulnerability in Chrome that has been under active exploitation in the wild, marking the eighth zero-day vulnerability identified for the browser in 2023.
Identified as
CVE-2023-7024
, Google said the vulnerability is a significant heap buffer overflow flaw within Chromes WebRTC module that allows remote code execution (RCE).
WebRTC is an open source initiative enabling real-time communication through APIs, and enjoys widespread support among the leading browser makers.
Lionel Litty, chief security architect at Menlo Security, explains that risk from exploitation is the ability to achieve RCE in the renderer process. This means a bad actor can run arbitrary binary code on the users machine, outside of the JavaScript sandbox.
However, real damage relies on using the bug as the first step in an exploit chain; it needs to be combined with a sandbox escape vulnerability in either Chrome itself or the OS to be truly dangerous.
This code is still sandboxed due to the multiprocess architecture of Chrome though, Litty says, so with just this vulnerability an attacker cannot access the users files or start deploying malware, and their foothold on the machine goes away when the impacted tab is closed.
He points out Chromes Site Isolation feature will generally protect data from other sites, so an attacker cant target the victims banking information, although he adds there are some subtle caveats here.
For example, this would expose a target origin to the malicious origin if they use the same site: In other words, a hypothetical malicious.shared.com can target victim.shared.com.
While access to the microphone or camera requires user consent, access to WebRTC itself does not, Litty explains. It is possible this vulnerability can be targeted by any website without requiring any user input beyond visiting the malicious page, so from this perspective the threat is significant.
Aubrey Perin, lead threat intelligence analyst at Qualys Threat Research Unit, notes that the reach of the bug extends beyond Google Chrome.
The exploitation of Chrome is tied to its ubiquity — even Microsoft Edge uses Chromium, he says. So, exploiting Chrome could also potentially target Edge users and allow bad actors a wider reach.
And it should be noted that Android mobile devices using Chrome have their own risk profile; they put multiple sites in the same renderer process in some scenarios, especially on devices that do not have a lot of RAM.
Major browser vendors have recently reported a growing number of zero-day bugs — Google alone reported
five since August
.
Apple, Microsoft, and Firefox are among the others that have disclosed a
series of critical vulnerabilities
in their browsers, including some zero-days.
Joseph Carson, chief security scientist and Advisory CISO at Delinea, says its no surprise that government sponsored hackers and cybercriminals target the popular software, constantly searching for vulnerabilities to exploit.
This typically leads to a larger attack surface due to the softwares widespread usage, multiple platforms, high-value targets, and usually opens the door to supply chain attacks, he says.
He notes these types of vulnerabilities also take time for many users to update and patch vulnerable systems.
Therefore, attackers will likely target these vulnerable systems for many months to come, Carson says.
He adds, As this vulnerability is being actively exploited, it likely means that many users systems have already been compromised and it would be important to be able to identify devices that have been targeted and quickly patch those systems.
As a result, Carson notes, organizations should investigate sensitive systems with this vulnerability to determine any risks or potential material impact.

Last News

▸ Senate wants changes to cybercrime law. ◂
Discovered: 23/12/2024
Category: security

▸ Car Sector Speeds Up In Security. ◂
Discovered: 23/12/2024
Category: security

▸ Making use of a homemade Android army ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Google Releases Eighth Zero-Day Patch of 2023 for Chrome