Skip to content

Google patches the sixth Chrome zero-day of 2023

  • by
  • 3 min read

Photo by Hadrian / Shutterstock.com

Google has rolled out an emergency update, addressing seven security vulnerabilities, with a particular focus on mitigating a zero-day flaw that has recently been actively exploited in the wild.

Identified as CVE-2023-6345, this high-severity vulnerability is characterised as an integer overflow bug within Skia, an open-source 3D graphics library.

Credit for the discovery and reporting of this flaw goes to Bendit Stevens and Clement LEcigne from Google’s Threat Analysis Group (TAG), who brought this issue to light on November 24, 2023. This incident also marks the sixth zero-day vulnerability that Google has addressed in Chrome this year.

The zero-day vulnerability, residing in Skia, presents a substantial risk, potentially leading to system crashes or the execution of arbitrary code. Skia is a vital component not only for Chrome but also for other Google products, including ChromeOS, Android, and Flutter.

Google acknowledged the existence of an active exploit in the wild for CVE-2023-6345. “Google is aware that an exploit for CVE-2023-6345 exists in the wild,” said the company in a security advisory without divulging any further information regarding the extent of the exploitation and how many systems were affected. This may be a strategic decision by Google until a significant portion of users update their browsers.

“Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven’t yet fixed,” Google declared.

Other security flaws that Google fixed in the latest update are as follows:

  • CVE-2023-6348 (High): This flaw was reported to Google by Mark Brand of Google Zero Project. The flaw deals with type confusion in Spellcheck.
  • CVE-2023-6347 (High): This flaw was reported by Leecraso and Guang Gong of 360 Vulnerability Research and it deals with use after free in Mojo.
  • CVE-2023-6346 (High): This flaw was reported by Huang Xilin of Ant Group Light-Year Security Lab and deals with use after free in WebAudio.
  • CVE-2023-6350 (High): This flaw was reported by Fudan University and fixes out-of-bounds memory access inlibavif.
  • CVE-2023-6351 (High): Reported by Fudan University and fixed the use after free in libavif.

Google urged the users to promptly update their browsers. Users should download the security update version 119.0.6045.199 for Mac and Linux and 119.0.6045.199/.200 for Windows.

In September, Google released patches for an actively exploited vulnerability identified as CVE-2023-4863 in Chrome. In April this year, Google fixed yet another Chrome zero-day bug identified as CVE-2023-2033.

In 2022, Google patched eight zero-days. With a month remaining for this year to be over, there has been a slight decrease in the number of zero days compared to the previous year.

In the News: Multi-nation effort dismantles ransomware operation in Ukraine

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

Related Reads

This is an image of dark web hacker security

Security flaw in Dahua CCTVs allows remote access

This is an image of python windows featured

Hackers are targeting Python developers with fake PyPI sites

This is an image of apple featured 2323424823

Apple patches Safari bug; Already exploited in Chrome

This is an image of dark web hacker security

Vibe coding platform breach exposes corporate apps

This is an image of dark web hacker security

Fake apps are stealing data blackmailing users on Asian mobile networks

This is an image of ransomware 32988sd

FBI collects dues from Chaos ransomware gang; $2.4 million in crypto seized

>