Pierluigi Paganini
December 20, 2023
Google has released emergency updates to address a new zero-day vulnerability, tracked as CVE-2023-7024, in its web browser Chrome.
The flaw has been addressed with the release of version 120.0.6099.129 for Mac,Linux and 120.0.6099.129/130 for Windows which will roll out over the coming days/weeks.
The vulnerability is a Heap buffer overflow issue in WebRTC. The flaw was reported by Clément Lecigne and Vlad Stolyarov of Google’s Threat Analysis Group on 2023-12-19 and fixed in just one day.
💪🏼 Yesterday @_clem1 and @vladhiewsha discovered and reported a new ITW 0-day to the Chrome team. TODAY, 1 day later, Chrome has a fix out to protect users!!! Thank you, Chrome! CVE-2023-7024https://t.co/2tkx0Zc9pf
— Maddie Stone (@maddiestone) December 20, 2023
“CVE-2023-7024: Heap buffer overflow in WebRTC. Reported by Clément Lecigne and Vlad Stolyarov of Google’s Threat Analysis Group on 2023-12-19” reads the advisory published by the IT giant. “Google is aware that an exploit for CVE-2023-7024 exists in the wild.”
The fact that the issue was discovered by Google TAG suggests it was exploited by a nation-state actor or by a surveillance firm.
As usual, Google did not publish details about the attacks exploiting the flaw in the wild.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.” continues the advisory.
This vulnerability is the eighth issue patched by Google since the start of the year.
Below is the list of actively exploited zero-day vulnerabilities in Chrome addressed by Google this year:
CVE-2023-6345 is the sixth actively exploited zero-day vulnerability in Chrome addressed by Google this year, the other ones are:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, chrome)
