Google has urgently released emergency updates to fix yet another zero-day vulnerability in its Chrome web browser, marking the eighth actively exploited zero-day flaw since the beginning of this year. The vulnerability, identified as CVE-2023-7024, has been acknowledged by Google as having been exploited in the wild. Clément Lecigne and Vlad Stolyarov from Google’s Threat Analysis Group (TAG) discovered and reported this high-severity zero-day bug.
This zero-day vulnerability is a heap buffer overflow weakness in the WebRTC framework, an open-source technology used by various web browsers, including Mozilla Firefox, Safari, and Microsoft Edge, to provide Real-Time Communications (RTC) capabilities such as video streaming, file sharing, and VoIP telephony via JavaScript APIs.
Google has acted swiftly to patch this vulnerability for users in the Stable Desktop channel. The updated versions (120.0.6099.129/130 for Windows and 120.0.6099.129 for macOS and Linux) are being rolled out worldwide. While Google has not provided specific details about the incidents of exploitation, it has stated that an exploit for CVE-2023-7024 exists in the wild.
The Threat Analysis Group at Google is known for frequently discovering zero-day vulnerabilities exploited in targeted attacks, especially those sponsored by governments seeking to deploy spyware on the devices of high-profile individuals, including politicians, dissidents, and journalists.
Access to detailed bug information is restricted to prevent threat actors from exploiting the vulnerability further. This precautionary measure is in line with Google’s commitment to limiting the release of technical information until a majority of users have been updated with a fix. Users are strongly advised to update their Chrome browsers immediately to mitigate potential threats.
