Google, in light of recent events, has launched a critical update for a high-severity Chrome zero-day vulnerability. As per recent reports, Google claims that the vulnerability has been actively exploited. It’s worth noting that the vulnerability pertains to the WebRTC framework and, when exploited, can lead to program crashes or arbitrary code execution. Given its severity, it has raised significant online security risks. 

In this article, we’ll dive into details of the vulnerability and the countermeasures Google has implemented to keep the vulnerability from being exploited further.

Chrome Zero-Day Vulnerability Discovered

As of now, Clément Lecigne and Vlad Stolyarov of Google’s Threat Analysis Group (TAG) are the two personnel credited with discovering the vulnerability. However, details of any other security defects resulting in Google Chrome exploits have not been released till now, as it prevents further exploits. Despite this, Google has acknowledged that:

“An exploit for CVE-2023-7024 exists in the wild.”

The Chrome zero-day vulnerability, identified as CVE-2023-7024, is being described as a heap-based buffer overflow bug in the WebRTC framework. Those concerned about their internet browser safety and online security posture must know buffer overflows can be used for the execution of arbitrary code outside of the program’s implicit security policy. 

They can also be used to write function pointers pertaining to the attacker’s code. In cases where the exploit leads to arbitrary code execution, additional web browser security services can be subverted by the attacker. It’s worth mentioning that such browser vulnerabilities raise significant concerns pertaining to online security risks.

Google Chrome has widespread usage across multiple platforms and is often used by high-value targets. Such circumstances make exploiting the Chrome zero-day vulnerability a feasible option for threat actors, as it can be used to expand the attack surface once initial access has been acquired. 

Chrome Security Updates

As far as countermeasures for the vulnerability are concerned, Google has stated that: “Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on but haven’t yet fixed.”

In addition to retaining information, Google has released a patch to keep such browser vulnerabilities from being exploited. Given the potential impacts of the Chrome zero-day vulnerability, users are urged to adhere to web security best practices and update their Chrome browsers. 

Cybersecurity Threats 2023: Chrome’s Eighth Vulnerability

Taking a look back at 2023, it’s worth mentioning that CVE-2023-7024 has now become the eighth vulnerability Google has patched over during 2023. Some of the other vulnerabilities with the potential for cyber attacks on browsers if exploited that Chrome faced in 2023 include:

• CVE-2023-2033 – a type confusion vulnerability in the V8 JavaScript engine that allowed threat actors to exploit heap corruption using a crafted HTML page.
• CVE-2023-2136 – an integer overflow vulnerability in Skia that compromised the renderer process and enabled a threat actor to perform a sandbox escape.
• CVE-2023-3079 – another type confusion vulnerability with similar outcomes as its predecessor.
• CVE-2023-4762 – a type confusion vulnerability in the V8 JavaScript engine and to the execution of arbitrary code by a threat actor.
• CVE-2023-4863 – a heap buffer overflow in WebP image format and could have led to arbitrary code execution or a crash.
• CVE-2023-5217 – a heap buffer overflow in vp8 encoding in libvpx, which, if exploited, could lead to program crashes or arbitrary code execution.
• CVE-2023-6345 – an integer overflow in bug Skia that was exploited by threat actors in the wild.
  

Conclusion 

Given that Google Chrome is widely used across multiple platforms, vulnerabilities within the browser serve as a feasible option for threat actors with malicious intent. The most recent Chrome zero-day vulnerability, if exploited, is similar to some of its predecessors and can lead to program crashes or arbitrary code execution. 

The initial access acquired by exploiting the vulnerability could then be used to expand the attack surface and maximize damage to the target system. Such scenarios necessitate that proactive cybersecurity measures be used to safeguard against online security risks.

The sources for the piece include articles in The Hacker News and Cyber Security News. 

The post Alert: New Chrome Zero-Day Vulnerability Being Exploited appeared first on TuxCare.

*** This is a Security Bloggers Network syndicated blog from TuxCare authored by Wajahat Raja. Read the original post at: https://tuxcare.com/blog/alert-new-chrome-zero-day-vulnerability-being-exploited/