Google has released a patch to address a high-severity vulnerability in the Chrome browser. Tracked as CVE-2023-7024, the vulnerability is being exploited in the wild.
CVE-2023-7024 is a heap-based buffer overflow vulnerability in the open-source WebRTC framework. Many other web browsers, such as Mozilla Firefox, Safari, and Microsoft Edge, also use the WebRTC framework to provide Real-Time Communications (RTC) capabilities (e.g., video streaming, file sharing, and VoIP telephony) via JavaScript APIs. The vast use of the WebRTC framework makes this vulnerability more severe.
Acknowledging the active exploitation of the vulnerability, CISA has added it to the Known Exploited Vulnerabilities Catalog. CISA has recommended users to patch the flaw before Jan 23, 2024.
Clément Lecigne and Vlad Stolyarov of Google’s Threat Analysis Group (TAG) have discovered the high-severity vulnerability in Google Chrome.
CVE-2023-7024 is the eighth zero-day vulnerability fixed by Google this year. The following are the other seven zero-days:
- CVE-2023-2033 – Type confusion in V8
- CVE-2023-2136 – Integer overflow in Skia
- CVE-2023-3079 – Type confusion in V8
- CVE-2023-4762 – Type confusion in V8
- CVE-2023-4863 – Heap buffer overflow in WebP
- CVE-2023-5217 – Heap buffer overflow in vp8 encoding in libvpx
- CVE-2023-6345 – Integer overflow in Skia
Affected Versions
Google Chrome versions before 120.0.6099.129 are affected by this vulnerability.
Mitigation
Customers are requested to upgrade to the latest stable channel version 120.0.6099.129 for Mac and Linux and 120.0.6099.129/130 for Windows.
For more information, please refer to the Google Chrome Release Page.
Microsoft has released the Edge Stable Channel (Version 120.0.2210.91) to address CVE-2023-7024, which the Chromium team has reported as being exploited in the wild.
Qualys Detection
Qualys customers can scan their devices with QIDs 379169 and 379174 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://chromereleases.googleblog.com/2023/12/stable-channel-update-for-desktop_20.html