Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Google Rushes to Patch Eighth Chrome Zero-Day This Year

Google warns of in-the-wild exploitation of CVE-2023-7024, a new Chrome vulnerability, the eighth documented this year.

Chrome security updates

Google on Wednesday announced emergency patches for a Chrome vulnerability that is under active exploitation. This is the eighth zero-day documented this year.

The issue, tracked as CVE-2023-7024, is described as a high-severity heap buffer overflow bug in Chrome’s WebRTC component.

Supported by major browser makers, WebRTC (Web Real-Time Communication) is an open source project that provides real-time communication via APIs.

“Google is aware that an exploit for CVE-2023-7024 exists in the wild,” the internet giant notes in an advisory. The security hole was reported on December 19, just one day before the patches came out.

The company has not shared technical information on the bug itself, nor has it provided details on the observed attacks exploiting it.

However, it said that the flaw was reported by Clément Lecigne and Vlad Stolyarov of Google’s Threat Analysis Group (TAG), which suggests that it might be exploited by commercial surveillance software vendors.

Recently, Google TAG researchers uncovered several other security defects exploited by spyware vendors, including a zero-day that forced Apple (CVE-2023-41064), Google, and Mozilla (CVE-2023-4863) to release emergency patches, and a Chrome vulnerability (CVE-2023-5217) resolved at the end of September.

Aside from CVE-2023-5217 and CVE-2023-4863, Google this year resolved five other Chrome bugs exploited in the wild, namely CVE-2023-6345, CVE-2023-4762, CVE-2023-3079, CVE-2023-2033, and CVE-2023-2136, making CVE-2023-7024 the eighth documented Chrome zero-day of 2023.

Advertisement. Scroll to continue reading.

The latest Chrome iteration is now rolling out as version 120.0.6099.129 for macOS and Linux, and as versions 120.0.6099.129/130 for Windows.

Google also announced that it has updated the Chrome Extended Stable channel to version 120.0.6099.129 for macOS and to version 120.0.6099.130 for Windows.

Related: Chrome 120 Update Patches High-Severity Vulnerabilities

Related: Chrome 120 Patches 10 Vulnerabilities

Related: Chrome 119 Patches 15 Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Shay Mowlem named CMO of runtime and application security company Contrast Security.

Attack detection firm Vectra AI has appointed Jeff Reed to the newly created role of Chief Product Officer.

Shaun Khalfan has joined payments giant PayPal as SVP, CISO.

More People On The Move

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.