Google on Wednesday announced emergency patches for a Chrome vulnerability that is under active exploitation.
The issue, tracked as CVE-2023-7024, is described as a high-severity heap buffer overflow bug in Chrome's WebRTC component.
Supported by major browser makers, WebRTC is an open source project that provides real-time communication via APIs.
The security hole was reported on December 19, just one day before the patches came out.
The company has not shared technical information on the bug itself, nor has it provided details on the observed attacks exploiting it.
It said that the flaw was reported by Clément Lecigne and Vlad Stolyarov of Google's Threat Analysis Group, which suggests that it might be exploited by commercial surveillance software vendors.
Recently, Google TAG researchers uncovered several other security defects exploited by spyware vendors, including a zero-day that forced Apple, Google, and Mozilla to release emergency patches, and a Chrome vulnerability resolved at the end of September.
Aside from CVE-2023-5217 and CVE-2023-4863, Google this year resolved five other Chrome bugs exploited in the wild, namely CVE-2023-6345, CVE-2023-4762, CVE-2023-3079, CVE-2023-2033, and CVE-2023-2136, making CVE-2023-7024 the eighth documented Chrome zero-day of 2023.
The latest Chrome iteration is now rolling out as version 120.0.6099.129 for macOS and Linux, and as versions 120.0.6099.129/130 for Windows.
Google also announced that it has updated the Chrome Extended Stable channel to version 120.0.6099.129 for macOS and to version 120.0.6099.130 for Windows.
This Cyber News was published on www.securityweek.com. Publication date: Thu, 21 Dec 2023 11:13:05 +0000