Google has released critical security updates for the Chrome web browser to address a high-severity zero-day vulnerability that was being actively exploited in the wild. The flaw, tracked as CVE-2023-7024, is a heap-based buffer overflow in the WebRTC multimedia framework that could enable malicious actors to execute arbitrary code on targeted systems.
We recommend that you upgrade your Chrome browser as soon as possible to avoid any potential security vulnerabilities and ensure a safer browsing experience.
That being said, here are more details about the security flaw that was recently patched by Google.
Technical Details of the Vulnerability
The vulnerability was privately reported to Google by members of the Threat Analysis Group (TAG) - Clément Lecigne and Vlad Stolyarov - on December 19, 2023. No technical details have been disclosed to prevent further malicious abuse. Google has acknowledged the existence of proof-of-concept exploits leveraging the buffer overflow.
This marks the eighth actively-exploited zero-day vulnerability in Chrome since January 2023, highlighting the browser's expanding attack surface:
- CVE-2023-2033 (CVSS 8.8) - Type confusion flaw in the V8 JavaScript engine
- CVE-2023-2136 (CVSS 9.6) - Integer overflow in the Skia graphics library
- CVE-2023-3079 (CVSS 8.8) - Type confusion in V8
- CVE-2023-4762 (CVSS 8.8) - Type confusion in V8
- CVE-2023-4863 (CVSS 8.8) - Heap buffer overflow in WebP image codec
- CVE-2023-5217 (CVSS 8.8) - Heap buffer overflow in vp8 video encoding in libvpx
- CVE-2023-6345 (CVSS 9.6) - Integer overflow in Skia
2023 Vulnerability Landscape
According to Qualys, over 26,000 vulnerabilities have been publicly disclosed so far in 2023, representing a year-on-year increase of more than 1,500 compared to 2022. 115 of these have been exploited in the wild, with remote code execution, security bypass, memory safety issues, and privilege escalation being among the top vulnerability types weaponized by threat actors and ransomware groups.
Upgrade Your Chrome Browser
To mitigate threats associated with the actively exploited heap overflow, Google has released Chrome version 120.0.6099.129 and 120.0.6099.130 for Windows users, alongside 120.0.6099.129 for macOS and Linux.
We highly recommend that you update as soon as possible. Patches will also be rolled out to other Chromium-based browsers like Microsoft Edge, Brave, Opera, and Vivaldi over the coming days.