If you’re a Google Chrome user, make sure you have the latest update because Google just patched its sixth zero-day vulnerability of the year.
The vulnerability, which stems from an integer overflow weakness in the Skia open-source 2D graphics library, is actively being exploited, so don’t wait to update your browser.
The vulnerability was discovered late last week by two security researchers working with Google’s Threat Analysis Group (TAG). This department is typically charged with finding zero-day vulnerabilities in endpoints and hunting down state-sponsored threat actors, so it’s safe to assume that at least one of the groups exploiting this flaw is state-sponsored used to be.
No further details
Google said it will not release details about this vulnerability until the majority of browsers are updated. The earliest safe version is 119.0.6045.199/.200 for Windows users and 119.0.6045.199 for Mac and Linux users.
Although Google typically rolls out the patch slowly in different regions, when checking for updates it was already available (version 119.0.6045.200). “Google is aware that an exploit for CVE-2023-6345 exists in the wild,” the company said.
“Access to bug details and links may be restricted until the majority of users have been updated with a fix. We will also enforce restrictions if the bug exists in a third-party library that other projects similarly depend on, but have not yet resolved,” the company said.
Withholding details is standard practice for vulnerabilities that are actively being exploited, as sharing more information could motivate other attackers to develop their own malware.
Google has fixed six zero-day vulnerabilities so far this year, including two fixed in September: CVE-2023-5217 and CVE-2023-4863. These two were also exploited in the wild, Google said at the time.
Chrome is one of the most popular browsers in the world, making it an attractive target for criminals.
Through BleepingComputer