ClickCease Alert: New Chrome Zero-Day Vulnerability Being Exploited

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Alert: New Chrome Zero-Day Vulnerability Being Exploited

by Wajahat Raja

January 2, 2024 - TuxCare expert team

Google, in light of recent events, has launched a critical update for a high-severity Chrome zero-day vulnerability. As per recent reports, Google claims that the vulnerability has been actively exploited. It’s worth noting that the vulnerability pertains to the WebRTC framework and, when exploited, can lead to program crashes or arbitrary code execution. Given its severity, it has raised significant online security risks

In this article, we’ll dive into details of the vulnerability and the countermeasures Google has implemented to keep the vulnerability from being exploited further.

 

Chrome Zero-Day Vulnerability Discovered


As of now, Clément Lecigne and Vlad Stolyarov of Google’s Threat Analysis Group (TAG) are the two personnel credited with discovering the vulnerability. However, details of any other security defects resulting in
Google Chrome exploits have not been released till now, as it prevents further exploits. Despite this, Google has acknowledged that:

“An exploit for CVE-2023-7024 exists in the wild.”

The Chrome zero-day vulnerability, identified as CVE-2023-7024, is being described as a heap-based buffer overflow bug in the WebRTC framework. Those concerned about their internet browser safety and online security posture must know buffer overflows can be used for the execution of arbitrary code outside of the program’s implicit security policy. 

They can also be used to write function pointers pertaining to the attacker’s code. In cases where the exploit leads to arbitrary code execution, additional web browser security services can be subverted by the attacker. It’s worth mentioning that such browser vulnerabilities raise significant concerns pertaining to online security risks.

Google Chrome has widespread usage across multiple platforms and is often used by high-value targets. Such circumstances make exploiting the Chrome zero-day vulnerability a feasible option for threat actors, as it can be used to expand the attack surface once initial access has been acquired. 


Chrome Security Updates


As far as countermeasures for the vulnerability are concerned,
Google has stated that: “Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on but haven’t yet fixed.”

In addition to retaining information, Google has released a patch to keep such browser vulnerabilities from being exploited. Given the potential impacts of the Chrome zero-day vulnerability, users are urged to adhere to web security best practices and update their Chrome browsers. 


Cybersecurity Threats 2023: Chrome’s Eighth Vulnerability


Taking a look back at 2023, it’s worth mentioning that CVE-2023-7024 has now become the
eighth vulnerability Google has patched over during 2023. Some of the other vulnerabilities with the potential for cyber attacks on browsers if exploited that Chrome faced in 2023 include:

  • CVE-2023-2033 – a type confusion vulnerability in the V8 JavaScript engine that allowed threat actors to exploit heap corruption using a crafted HTML page.
  • CVE-2023-2136 – an integer overflow vulnerability in Skia that compromised the renderer process and enabled a threat actor to perform a sandbox escape.
  • CVE-2023-3079 – another type confusion vulnerability with similar outcomes as its predecessor.
  • CVE-2023-4762 – a type confusion vulnerability in the V8 JavaScript engine and to the execution of arbitrary code by a threat actor.
  • CVE-2023-4863 – a heap buffer overflow in WebP image format and could have led to arbitrary code execution or a crash.
  • CVE-2023-5217 – a heap buffer overflow in vp8 encoding in libvpx, which, if exploited, could lead to program crashes or arbitrary code execution.
  • CVE-2023-6345 – an integer overflow in bug Skia that was exploited by threat actors in the wild.


Conclusion 


Given that Google Chrome is widely used across multiple platforms, vulnerabilities within the browser serve as a feasible option for threat actors with malicious intent. The most recent
Chrome zero-day vulnerability, if exploited, is similar to some of its predecessors and can lead to program crashes or arbitrary code execution. 

The initial access acquired by exploiting the vulnerability could then be used to expand the attack surface and maximize damage to the target system. Such scenarios necessitate that proactive cybersecurity measures be used to safeguard against online security risks.

The sources for the piece include articles in The Hacker News and Cyber Security News

 

Summary
Alert: New Chrome Zero-Day Vulnerability Being Exploited
Article Name
Alert: New Chrome Zero-Day Vulnerability Being Exploited
Description
Learn all about the new Chrome zero-day vulnerability. Update your Chrome browser today to stay safe from online security risks.
Author
Publisher Name
TuxCare
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Become a TuxCare Guest Writer

Mail

Help Us Understand
the Linux Landscape!

Complete our survey on the state of Open Source and you could win one of several prizes, with the top prize valued at $500!

Your expertise is needed to shape the future of Enterprise Linux!