Google on December 20 released what it calls a Stable Channel update for a high-severity Chrome flaw that Google said has been actively exploited in the wild.
The bug – CVE-2023-7024 – was the eighth Chrome zero-day patched by Google this year. The flaw was described as a heap buffer overflow in WebRTC.
Researchers Clément Lecigne and Vlad Stolyarov of Google's Threat Analysis Group (TAG) reported the flaw on December 19, just a day before the patch was made.
In an advisory, Google said the Stable channel has been updated for desktops to 120.0.6099.129 for Macs and Linux machines and 120.0.6099.129/130 for Windows machines.
According to Google Open Source, the Stable channel gets the full testing and blessing of the Chrome test team, and it’s the “best bet” to avoid crashes and other issues. It gets updated roughly every two-three weeks for minor releases, and every 6 weeks for major releases.
These type of vulnerabilities typically lead to a larger attack surface because of Google Chrome’s widespread usage, multiple platforms, and high-value targets, said Joseph Carson, chief security scientist and Advisory CISO at Delinea. Carson said it takes time for many users to update and patch vulnerable systems, so attackers will likely target these vulnerable systems for many months to come.
“The positive news here is the speed that Google’s TAG team quickly discovered the vulnerability that resulted in the quick availability of a patch,” said Carson. “As this vulnerability is being actively exploited, it likely means that many users systems have already been compromised and it would be important to identify devices that have been targeted and quickly patch those systems.”
Aubrey Perin, lead threat intelligence analyst at Qualys Threat Research Unit, added that the exploitation of Chrome is tied to its ubiquity: even Microsoft Edge uses Chromium.
“So exploiting Chrome could also potentially target Edge users and allow bad actors a wider reach,” said Perin.
Google has not shared technical information on the flaw itself, and it also has not offered details on any of the attacks it observed exploiting it.
Along with CVE-2023-7024, Google patched these other zero-day bugs exploited in the wild this year: CVE-2023-5217, CVE-2023-4863, CVE-2023-6345, CVE-2023-4762, CVE-2023-3079, CVE-2023-2033, and CVE-2023-2136.
