Google on Tuesday introduced a security replace that addresses a zero-day vulnerability within the Chrome browser.
The high-severity concern, tracked as CVE-2023-6345, is described as an integer overflow bug in Skia, the open supply 2D graphics library that serves because the graphics engine in Chrome, Firefox, and different browsers.
“Google is conscious that an exploit for CVE-2023-6345 exists within the wild,” the web big notes in its advisory, with out offering particular particulars on the noticed exploitation.
Nevertheless, the corporate says that the flaw was reported by Benoît Sevens and Clément Lecigne of Google’s Risk Evaluation Group (TAG), which means that it is perhaps exploited by a spyware and adware vendor.
Over the previous a number of months, Google TAG researchers have uncovered a number of different zero-day vulnerabilities exploited by distributors of business surveillance software program, together with CVE-2023-5217, a heap buffer overflow in Chrome, patched on the finish of September.
The newest Chrome replace patches 5 different high-severity vulnerabilities, together with three use-after-free points in Mojo, WebAudio, and libavif, a sort confusion bug in Spellcheck, and an out-of-bounds reminiscence entry flaw in libavif.
Google says it has handed out $55,000 in bounty rewards to the reporting researchers, with the best payout ($31,000) going to Leecraso and Guang Gong of 360 Vulnerability Analysis Institute, for the vulnerability in Mojo (CVE-2023-6347).
Per the corporate’s coverage, no bug bounty rewards can be issued for the Spellcheck and Skia flaws, which had been reported by Google Venture Zero and Google TAG researchers.
CVE-2023-6345 is the seventh Chrome zero-day addressed this yr, after CVE-2023-5217, CVE-2023-4762, CVE-2023-4863, CVE-2023-3079, CVE-2023-2033, and CVE-2023-2136.
Google patched CVE-2023-4762 in September, when it was not conscious of in-the-wild exploitation, however later stated an exploit for it possible existed earlier than the repair was launched.
The newest Chrome launch is now rolling out to customers as model 119.0.6045.199 for macOS and Linux and as variations 119.0.6045.199/.200 for Home windows.
