In the constantly changing field of cybersecurity, users are at risk from zero-day flaws. In a recent move, Google fixed the seventh zero-day vulnerability found in Chrome with an urgent patch. All Chrome users must comprehend the seriousness of these vulnerabilities and the potential consequences they may have.
Despite the arrival of the holiday season, software companies continue to issue patches for critical security vulnerabilities. Patches from Microsoft, Google, and Atlassian address vulnerabilities used in attacks. A vulnerability corrected by Cisco was considered so severe that it received an almost maximum CVSS score of 9.9.
Seven security updates for how to fix zero-day vulnerability in Chrome were released by Google at the end of November, including an emergency repair for a flaw that was already being exploited in actual attacks. The open-source 2D graphics package Skia has an integer overflow bug, CVE-2023-6345. Google knows about the existence of a wild exploit for CVE-2023-6345.
While the cure is unknown, Benoît Sevens and Clément Lecigne of Google’s Threat Analysis Group indicated that the exploit may be spyware-related.
Six additional vulnerabilities, including CVE-2023-6348 (a type-confusion vulnerability in Spellcheck) and CVE-2023-6351 (a use-after-free issue in libavif), were patched by Google and deemed to have a significant impact.
Google issued updates to address fifteen security vulnerabilities in its widely used browser. Three of the flaws addressed by the software giant were assigned a high severity rating. The first, identified as CVE-2023-5480, pertains to an improper implementation of Payments. The second, CVE-2023-5482, is a USB vulnerability characterized by inadequate data validation and carries a CVSS score of 8.8. CVE-2023-5849, the third high-severity vulnerability, is a USB integer overflow issue.
What is CVE-2023-6345?
At this juncture, scarce information exists regarding CVE-2023-6345, except that it pertains to an integer overflow vulnerability that affects the Skia component. Chrome’s graphics engine uses the open-source 2D graphics package Skia. VulnDB states that the product computes in a way that may result in an integer overflow or wraparound when the underlying logic presumes that the final value will consistently exceed the initial value. This can result in issues with availability, confidentiality, and integrity. Attackers exploiting vulnerabilities often withhold technical details.
Google frequently withholds technical information until most of Chrome’s 3.2 billion users have been protected by the update. According to Mike Walters, president and co-founder of risk-based patch management provider Action1, Google TAG researchers, who lately focused on spyware and APT vulnerabilities, disclosed the problem.
Google issued a remedy in April 2023 to address a comparable integer overflow vulnerability (CVE-2023-2136) in the identical component. Since the weakness was extensively exploited as a zero-day vulnerability for Google Chrome, the CVE-2023-6345 patch may prevent attackers from evading the previous update.
Six additional Google vulnerabilities
This Google update fixes more than the CVE-2023-6345 zero-day vulnerability for Google Chrome. There are five more, which are listed below:
- CVE-2023-6348 is a type of confusion vulnerability in Spellcheck.
- CVE-2023-6347 is used after free vulnerability in Mojo.
- CVE-2023-6346: is a use-after-free vulnerability in WebAudio9.
- CVE-2023-6350: is an out-of-bounds memory access vulnerability in libavif.
- CVE-2023-6351: is a use after-free vulnerability in libavif.
It is recommended that all Google Chrome browser and other browsers powered by the Chromium engine users promptly install and activate the most recent update.
Read this article to know more about how to fix zero-day vulnerability.
Ensure your browser has been updated.
The most recent security update brings the version of Google Chrome for Mac and Linux to 119.0.6045.199, while for Windows, it is 119.0.6045.199/.200. Navigate to the Help|About menu in Google Chrome to initiate the installation of the update automatically, if one is available.
If you have not noticed the update, please exercise patience, as its dissemination may take several days. Additionally, restart your browser once the update has been implemented; otherwise, it will remain inactive, and you will stay susceptible to intrusion.
Relax, your browser is now safeguarded against the most recent zero-day vulnerability for Google Chrome. For more such technology-related blogs and the latest updates, visit Adi4u.