Google 0-day browser bug under attack, patch available

Google patched a zero-day bug being exploited in the wild that is tied to its Chrome browser and ChromeOS software. The flaw allows an attacker, who is able to compromise the browsers rendering process, to bypass sandbox security measures and execute remote code or access sensitive data.

Tracked as CVE-2023-6345 and rated by Google as a high priority fix, the vulnerability is an integer overflow bug in Chrome's open source 2D graphics library called Skia. Google is withholding technical details of the vulnerability until fixes have been rolled out to a majority of users and vendors who use the Chromium browser engine in their products.

The patch, which impacts versions of Chrome prior to 119.0.6045.199, is one of seven security updates the company released on Tuesday.

"Google is aware that an exploit for CVE-2023-6345 exists in the wild," the Google security bulletin stated.

The Skia flaw is an integer overflow that opens unpatched software to a "remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a malicious file."

An attack that involves exploiting a sandbox escape allows an adversary to "break out of a secure or quarantined environment (sandbox)... An attacker could use a sandbox escape to execute malicious code on the host system, access sensitive data, or cause other types of harm," according to a NordVPN description.

Part of Google's security bulletin also included patches high-severity bugs including:

The announcement is the latest zero-day bug to affect the popular web browser from Google this year. 

The company patched another zero-day, CVE-2023-5217, in September that was described as a heap buffer overflow in vp8 encoding in the libvpx free codec library that allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.