Google Releases Security Update Addressing Multiple Vulnerabilities in Google Chrome

Security update addresses six high severity vulnerabilities in Google Chrome, including an actively exploited zero-day vulnerability

Threat ID:: CC-4414
Threat Severity:: Medium
Published:: 29 November 2023 2:34 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Security update addresses six high severity vulnerabilities in Google Chrome, including an actively exploited zero-day vulnerability

Affected platforms

The following platforms are known to be affected:

Google Chrome for Windows, macOS and Linux

All prior to 119.0.6045.199/.200 for Windows
All prior to 119.0.6045.199 for Mac
All prior to 119.0.6045.199 for Linux

Threat details

Introduction

Google has released a security update which addresses six high severity vulnerabilities in Google Chrome for Windows, Mac, and Linux.

The high severity vulnerabilities include a zero-day tracked as CVE-2023-6345 related to an integer overflow.

Zero-day vulnerability CVE-2023-2136

Google released patches for a similar integer overflow zero-day vulnerability (CVE-2023-2136) in the same component in April 2023, as this vulnerability had also been actively exploited.

This has been covered in a prior Cyber Alert CC-4305.

Exploitation of CVE-2023-6345

Google is aware that an exploit for CVE-2023-6345 exists in the wild.

Remediation advice

Affected organisations are encouraged to review the Chrome Release and apply the necessary updates to the latest release.

Definitive source of threat updates

https://chromereleases.googleblog.com/2023/11/stable-channel-update-for-desktop_28.html

CVE Vulnerabilities

Status Published

CVE-2023-6345

Integer overflow in Skia in Google Chrome prior to 119.0.6045.199 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a malicious file.

Status Published

CVE-2023-6346

Use after free in WebAudio in Google Chrome prior to 119.0.6045.199 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Status Published

CVE-2023-6347

Use after free in Mojo in Google Chrome prior to 119.0.6045.199 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Status Published

CVE-2023-6348

Type Confusion in Spellcheck in Google Chrome prior to 119.0.6045.199 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page.

Status Published

CVE-2023-6350

Use after free in libavif in Google Chrome prior to 119.0.6045.199 allowed a remote attacker to potentially exploit heap corruption via a crafted avif file.

Status Published

CVE-2023-6351

Use after free in libavif in Google Chrome prior to 119.0.6045.199 allowed a remote attacker to potentially exploit heap corruption via a crafted avif file.

Last edited: 29 November 2023 2:35 pm