overview
This week, Google released security updates addressing seven security issues in its Chrome browser. One of the more emergent vulnerabilities, CVE-2023-6345, is considered high-severity and has been actively exploited in the wild. The vulnerability is a Skia Integer overflow flaw and could expose systems to data theft. Skia is an open-source 2D graphics library.
CVE-2023-6345 was discovered and reported by Google's Threat Analysis Group (TAG) on November 24, 2023. According to Google, an exploit for CVE-2023-6345 is in the wild but Google is withholding the technical details regarding the nature of attacks and the attackers exploiting the flaw – a common practice that allows users time to update.
Please note that a similar vulnerability (CVE-2023-2136) in the same component was patched in April 2023 after being actively exploited as a zero-day, raising concerns about CVE-2023-6345 possibly being a patch bypass for the former. Google’s update addresses a total of seven zero-days in Chrome since the beginning of the year, covering several vulnerabilities such as type confusion, integer overflow, and heap buffer overflow.
CVE-2023- 2033 (CVSS score: 8.8)
|
Type confusion in V8
|
CVE-2023-2136 (CVSS score: 9.6)
|
Integer overflow in Skia
|
CVE-2023-3079 (CVSS score: 8.8)
|
Type confusion in V8
|
CVE-2023-4762 (CVSS score: 8.8)
|
Type confusion in V8
|
CVE-2023-4863 (CVSS score: 8.8)
|
Heap buffer overflow in WebP
|
CVE-2023-5217 (CVSS score: 8.8)
|
Heap buffer overflow in vp8 encoding in libvpx
|
Users of Chromium-based browsers like Microsoft Edge, Brave, Opera, and Vivaldi should apply the fixes when available. Please see Avertium’s recommendations below.
avertium's recommendationS
- If your Chrome browser is set to update automatically, no action may be required.
- However, for others, manual updating to the latest version within the Google Chrome settings (119.0.6045.199 for Mac and Linux, 119.0.6045.199/.200 for Windows) is recommended.
- Google’s advisory mentions that the fix is rolling out over the coming days/weeks, so immediate availability may vary.
INDICATORS OF COMPROMISE (IoCs)
At this time, there are no known IoCs associated with CVE-2023-6345. Avertium remains vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, please reach out to your Avertium Service Delivery Manager or Account Executive.
How Avertium is Protecting Our CUSTOMERS
- Fusion MXDR for Microsoft combines Avertium's Fusion MXDR approach with Microsoft Security Solutions, creating the first MDR offering that integrates all aspects of security operations into an active and threat-informed XDR solution. Leveraging Microsoft's comprehensive and cost-effective technology, Fusion MXDR for Microsoft delivers a release of cyber energy, encompassing implementation, optimization, ongoing management, and tuning.
- Avertium offers Vulnerability Management (VM) to provide a deeper understanding and control over organizational information security risks. If your enterprise is facing challenges with the scope, resources, or skills required to implement a vulnerability management program with your team, outsourced solutions can help you bridge the gap.
- Note: We highly value your feedback. Kindly spare a moment to complete our feedback form, allowing us to enhance our services for our valued customers.
SUPPORTING DOCUMENTATION