Google has fixed the sixth Chrome zero-day vulnerability this year in an emergency security update released today to counter ongoing exploitation in attacks.
The company acknowledged the existence of an exploit for the security flaw (tracked as CVE-2023-6345) in a new security advisory published today.
“Google is aware that an exploit for CVE-2023-6345 exists in the wild,” the company said.
The vulnerability has been addressed in the Stable Desktop channel, with patched versions rolling out globally to Windows users (119.0.6045.199/.200) and Mac and Linux users (119.0.6045.199).
Although the advisory notes that the security update may take days or weeks to accomplish the entire user base, it was available immediately when BleepingComputer checked for updates earlier today.
Users who don’t want to update manually can rely on the web browser to check for new updates automatically and install them after the next launch.
Likely exploited in spyware attacks
This high-severity zero-day vulnerability stems from an integer overflow weakness within the Skia open-source 2D graphics library, posing risks ranging from crashes to the execution of arbitrary code (Skia is also used as a graphics engine by other products appreciate ChromeOS, Android, and Flutter).
The bug was reported on Friday, November 24, by Benoît Sevens and Clément Lecigne, two security researchers with Google’s Threat Analysis Group (TAG).
Google TAG is known for uncovering zero-days, often exploited by state-sponsored hacking groups in spyware campaigns targeting high-profile individuals appreciate journalists and opposition politicians.
The company has stated that access to the zero-day’s details will remain restricted until most users have updated their browsers. If the flaw also affects third-party software that hasn’t been patched yet, then the limitation on access to bug details and links will be extended.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed,” the company said.
This aims to reduce the likelihood of threat actors developing their own CVE-2023-6345 exploits, taking advantage of newly released technical information on the vulnerability.
In September, Google fixed two other zero-days (tracked as CVE-2023-5217 and CVE-2023-4863) exploited in attacks, the fourth and fifth ones since the beginning of 2023.
Previously, the company released security updates for CVE-2023-3079, CVE-2023-2136, and CVE-2023-2033. Google TAG also tagged a remote code execution bug (CVE-2023-4762) as a zero-day after discovering its use in spyware attacks, weeks after it was patched in early September.
Update: Revised story after incorrectly tagging CVE-2023-6345 as the fifth actively exploited Chrome zero-day this year.