Google has released an emergency patch for the Chrome web browser to address a high-severity zero-day vulnerability (CVE-2023-7024) that is actively being exploited [2]. This vulnerability affects the open-source WebRTC component of Chrome [1], which enables real-time audio and video communication within web pages [1].
Description
The vulnerability, known as a heap buffer overflow bug, has been used in targeted attacks against vulnerable users [3]. Exploiting this vulnerability allows attackers to potentially install programs, manipulate data [4], or create new accounts with full user rights [4]. The impact of the exploit may vary depending on the user’s privileges [4], with those operating with administrative rights being more vulnerable [4].
To protect against potential threats, Google has released an emergency update for all desktop users on Windows, Mac [2] [3], and Linux [2] [3], as well as Android users [3]. The specific details about the vulnerability have not been disclosed by Google. It is recommended that users update Chrome to the latest version (120.0.6099.129 for Mac and Linux, and 120.0.6099.129/130 for Windows) [2]. MiWorkspace-managed machines are being updated [2], and users will need to restart Chrome or their computer for the update to apply [2]. It is advised to set Chrome on personal devices to update automatically and check for pending updates [2].
Conclusion
The exploit for CVE-2023-7024 poses a significant risk to users, allowing attackers to gain unauthorized access and potentially compromise sensitive information. It is crucial for users to update Chrome to the latest version to protect against this vulnerability. Google is aware of the existence of an exploit in the wild and is taking steps to mitigate its impact. Users should remain vigilant and ensure their systems are up to date to minimize the risk of exploitation.
References
[1] https://www.forbes.com/sites/daveywinder/2023/12/21/hackers-prompt-emergency-google-0-day-attack-patch-for-chrome-users/
[2] https://safecomputing.umich.edu/security-alerts/update-google-chrome-asap-zero-day-vulnerability
[3] https://www.bitdefender.com/blog/hotforsecurity/attackers-are-exploiting-a-new-zero-day-flaw-in-chrome-patch-now/
[4] https://www.cisecurity.org/advisory/a-vulnerability-in-google-chrome-could-allow-for-arbitrary-code-execution_2023-145
