NEWS  Security  December 22, 2023  Reading time: 2 Minute(s)

Max (RS editor)

In a swift response to a critical security threat, Google has released urgent security updates for its Chrome web browser, aiming to rectify a zero-day vulnerability that has already been exploited in real-world scenarios. The identified vulnerability, officially labeled CVE-2023-7024, is characterized as a heap-based buffer overflow bug within the WebRTC framework. This flaw poses a substantial risk, potentially leading to program crashes or, even more concerning, the execution of arbitrary code.

The discovery and reporting of CVE-2023-7024 are credited to Clément Lecigne and Vlad Stolyarov of Google's Threat Analysis Group (TAG), who brought attention to the flaw on December 19, 2023. The severity of the situation is underscored by Google's acknowledgment that an exploit for this vulnerability is actively being used in the wild.

Details surrounding the security defect remain intentionally scarce, a measure taken to prevent further exploitation. However, the gravity of the situation is heightened by the fact that WebRTC is not exclusive to Google Chrome; it is an open-source project also supported by Mozilla Firefox and Apple Safari. At present, it is unclear whether the vulnerability extends beyond Chrome and Chromium-based browsers.

The urgency of this security update is accentuated by the broader cybersecurity landscape in 2023. Qualys data reveals a staggering 26,447 vulnerabilities disclosed so far this year, surpassing the previous year by over 1,500 CVEs. Among these, 115 vulnerabilities have been actively exploited by threat actors and ransomware groups. Notable vulnerability types include remote code execution, security feature bypass, buffer manipulation, privilege escalation, and input validation and parsing flaws.

To mitigate potential threats stemming from CVE-2023-7024, users are strongly advised to upgrade their Chrome browser to version 120.0.6099.129/130 on Windows and 120.0.6099.129 on macOS and Linux. Additionally, users of Chromium-based browsers, including Microsoft Edge, Brave, Opera, and Vivaldi, should promptly apply the available fixes as they become accessible.

 COVER IMAGE: GOOGLE / REVIEW SPACE