Google has issued an urgent update to address a recently discovered vulnerability in Chrome that has been under active exploitation in the wild, marking the eighth zero-day vulnerability identified for the browser in 2023.
Identified as CVE-2023-7024, Google said the vulnerability is a significant heap buffer overflow flaw within Chrome's WebRTC module that allows remote code execution.
WebRTC is an open source initiative enabling real-time communication through APIs, and enjoys widespread support among the leading browser makers.
How CVE-2023-7024 Threatens Chrome Users Lionel Litty, chief security architect at Menlo Security, explains that risk from exploitation is the ability to achieve RCE in the renderer process.
This means a bad actor can run arbitrary binary code on the user's machine, outside of the JavaScript sandbox.
Real damage relies on using the bug as the first step in an exploit chain; it needs to be combined with a sandbox escape vulnerability in either Chrome itself or the OS to be truly dangerous.
He points out Chrome's Site Isolation feature will generally protect data from other sites, so an attacker can't target the victim's banking information, although he adds there are some subtle caveats here.
This would expose a target origin to the malicious origin if they use the same site: In other words, a hypothetical malicious.
Aubrey Perin, lead threat intelligence analyst at Qualys Threat Research Unit, notes that the reach of the bug extends beyond Google Chrome.
It should be noted that Android mobile devices using Chrome have their own risk profile; they put multiple sites in the same renderer process in some scenarios, especially on devices that do not have a lot of RAM. Browsers Remain a Top Cyberattack Target Major browser vendors have recently reported a growing number of zero-day bugs - Google alone reported five since August.
Apple, Microsoft, and Firefox are among the others that have disclosed a series of critical vulnerabilities in their browsers, including some zero-days.
Joseph Carson, chief security scientist and Advisory CISO at Delinea, says it's no surprise that government sponsored hackers and cybercriminals target the popular software, constantly searching for vulnerabilities to exploit.
He notes these types of vulnerabilities also take time for many users to update and patch vulnerable systems.
As a result, Carson notes, organizations should investigate sensitive systems with this vulnerability to determine any risks or potential material impact.
This Cyber News was published on www.darkreading.com. Publication date: Fri, 22 Dec 2023 18:05:04 +0000