overview
This week, Google released security updates addressing seven security issues in its Chrome browser. One of the more emergent vulnerabilities, CVE-2023-6345, is considered high-severity and has been actively exploited in the wild. The vulnerability is a Skia Integer overflow flaw and could expose systems to data theft. Skia is an open-source 2D graphics library.
CVE-2023-6345 was discovered and reported by Google's Threat Analysis Group (TAG) on November 24, 2023. According to Google, an exploit for CVE-2023-6345 is in the wild but Google is withholding the technical details regarding the nature of attacks and the attackers exploiting the flaw – a common practice that allows users time to update.
Please note that a similar vulnerability (CVE-2023-2136) in the same component was patched in April 2023 after being actively exploited as a zero-day, raising concerns about CVE-2023-6345 possibly being a patch bypass for the former. Google’s update addresses a total of seven zero-days in Chrome since the beginning of the year, covering several vulnerabilities such as type confusion, integer overflow, and heap buffer overflow.
CVE-2023- 2033 (CVSS score: 8.8) |
Type confusion in V8 |
CVE-2023-2136 (CVSS score: 9.6) |
Integer overflow in Skia |
CVE-2023-3079 (CVSS score: 8.8) |
Type confusion in V8 |
CVE-2023-4762 (CVSS score: 8.8) |
Type confusion in V8 |
CVE-2023-4863 (CVSS score: 8.8) |
Heap buffer overflow in WebP |
CVE-2023-5217 (CVSS score: 8.8) |
Heap buffer overflow in vp8 encoding in libvpx |
Users of Chromium-based browsers like Microsoft Edge, Brave, Opera, and Vivaldi should apply the fixes when available. Please see Avertium’s recommendations below.
INDICATORS OF COMPROMISE (IoCs)
At this time, there are no known IoCs associated with CVE-2023-6345. Avertium remains vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, please reach out to your Avertium Service Delivery Manager or Account Executive.
SUPPORTING DOCUMENTATION
Chrome Releases: Stable Channel Update for Desktop (googleblog.com)
Google Patches Seventh Chrome Zero-Day of 2023 - SecurityWeek
Zero-Day Alert: Google Chrome Under Active Attack, Exploiting New Vulnerability (thehackernews.com)
Update your Chrome browser ASAP to avoid this security exploit - The Verge