- La colaboración entre Seguridad y FinOps puede generar beneficios ocultos en la nube
- El papel del CIO en 2024: una retrospectiva del año en clave TI
- How control rooms help organizations and security management
- ITDM 2025 전망 | “효율경영 시대의 핵심 동력 ‘데이터 조직’··· 내년도 활약 무대 더 커진다” 쏘카 김상우 본부장
- 세일포인트 기고 | 2025년을 맞이하며… 머신 아이덴티티의 부상이 울리는 경종
Google Fixes Sixth Chrome Zero-Day Bug of the Year
Google has released an update for Chrome to fix several new vulnerabilities, including one rated high severity that is currently being exploited.
The vulnerability in question, CVE-2023-6345, is listed as an integer overflow issue in Skia, an open-source 2D graphics library written in C++.
“Google is aware that an exploit for CVE-2023-6345 exists in the wild,” the tech giant said.
The vulnerability was reported by Benoît Sevens and Clément Lecigne of Google’s Threat Analysis Group (TAG) on November 24. That would suggest that the zero-day flaw could be linked to the delivery of commercial spyware.
Read more on Chrome updates: Google Releases Chrome Patch to Fix New Zero-Day Vulnerability
The TAG is often involved in tracking such threats, particularly state-sponsored attacks on individuals such as dissidents and activists that autocratic regimes want to covertly monitor.
In September, for example, TAG’s Lecigne reported another high-severity zero-day bug in Chrome under exploitation that was patched in the 117.0.5938.132 release. His colleague Maddie Stone confirmed that the vulnerability was “in use by a commercial surveillance vendor.”
Google said that access to the details of the vulnerability “may be kept restricted until a majority of users are updated with a fix,” or if it exists in a third-party library that other projects depend on but haven’t yet fixed.
“The Stable channel has been updated to 119.0.6045.199 for Mac and Linux and 119.0.6045.199/.200 for Windows, which will roll out over the coming days/weeks,” it added.
The other vulnerabilities listed in this update are all high severity:
- CVE-2023-6348 is a type confusion issue in Spellcheck
- CVE-2023-6347 is a use-after-free vulnerability in Mojo
- CVE-2023-6346 is a use-after-free bug in WebAudio
- CVE-2023-6350 is an out-of-bounds memory access issue in the libavif codec library
- CVE-2023-6351 is a use-after-free bug in libavif
Image credit: QubixStudio / Shutterstock.com