Google on Wednesday announced emergency patches for a Chrome vulnerability that is under active exploitation. This is the eighth zero-day documented this year.
The issue, tracked as CVE-2023-7024, is described as a high-severity heap buffer overflow bug in Chrome’s WebRTC component.
Supported by major browser makers, WebRTC (Web Real-Time Communication) is an open source project that provides real-time communication via APIs.
“Google is aware that an exploit for CVE-2023-7024 exists in the wild,” the internet giant notes in an advisory. The security hole was reported on December 19, just one day before the patches came out.
The company has not shared technical information on the bug itself, nor has it provided details on the observed attacks exploiting it.
However, it said that the flaw was reported by Clément Lecigne and Vlad Stolyarov of Google’s Threat Analysis Group (TAG), which suggests that it might be exploited by commercial surveillance software vendors.
Recently, Google TAG researchers uncovered several other security defects exploited by spyware vendors, including a zero-day that forced Apple (CVE-2023-41064), Google, and Mozilla (CVE-2023-4863) to release emergency patches, and a Chrome vulnerability (CVE-2023-5217) resolved at the end of September.
Aside from CVE-2023-5217 and CVE-2023-4863, Google this year resolved five other Chrome bugs exploited in the wild, namely CVE-2023-6345, CVE-2023-4762, CVE-2023-3079, CVE-2023-2033, and CVE-2023-2136, making CVE-2023-7024 the eighth documented Chrome zero-day of 2023.
The latest Chrome iteration is now rolling out as version 120.0.6099.129 for macOS and Linux, and as versions 120.0.6099.129/130 for Windows.
Google also announced that it has updated the Chrome Extended Stable channel to version 120.0.6099.129 for macOS and to version 120.0.6099.130 for Windows.