Google releases patch for yet another zero-day exploit

Google continues to release security updates to fix zero-day vulnerabilities found in its Chrome web browser

Google has released a security update for its Chrome web browser, fixing several zero-day vulnerabilities that have been actively exploited in recent attacks. The updates are available for Windows and Mac users, with the Linux version expected to be rolled out soon. The vulnerabilities addressed in the update include integer overflow, type confusion, and other issues in the Skia graphics library, Chrome V8 JavaScript engine, and other components of the browser.

This has been a busy time for the tech company, as it addressed a zero-day vulnerability in the Chrome browser towards the end of last week. In its recently published April 2023 Threat Horizons Report,^[1] the company acknowledged that the Chinese threat group, APT41, had misused its open-source Google Command and Control (GC2) red-teaming tool for malware attacks. Additionally, on April 18, the company reported yet another Chrome zero-day vulnerability that required urgent attention.

The vulnerabilities patched

One of the zero-day vulnerabilities addressed by Google is CVE-2023-2136,^[2] which is a high-severity integer overflow bug in the Skia library. Skia is a Google-owned open-source 2D graphics library that provides Chrome with APIs for rendering graphics, text, images, shapes, and animations. Integer overflow bugs happen when an operation results in a value that exceeds the maximum for a given integer type. In the context of Skia, this could lead to incorrect rendering, memory corruption, and arbitrary code execution, resulting in unauthorized access to systems.

Another zero-day vulnerability addressed by Google is CVE-2023-2033, which is a type confusion issue in the Chrome V8 JavaScript engine. This vulnerability allows an attacker to take control of a victim's computer by executing arbitrary code. According to Google, this vulnerability has already been exploited in the wild.^[3]

In both cases, Google has followed its standard practice when fixing actively exploited flaws in Chrome by withholding many details about how the vulnerabilities were used in attacks. This is to prevent threat actors from developing their own exploits before users can update their software to a safer version.

Google's prompt response to these zero-day vulnerabilities is commendable. These flaws are typically leveraged by advanced threat actors, most of the time state-sponsored, who target high-profile individuals working in governments, media, or other critical organizations. Therefore, it is essential that all Chrome users apply the available updates as soon as possible.

Zero-day vulnerabilities are prevalent across the industry

Google is not alone in dealing with zero-day vulnerabilities. Microsoft^[4] and Apple have also struggled with such flaws and released major patches to fix them. In March 2023, Microsoft released an emergency patch to fix a zero-day vulnerability in its flagship Windows operating system that was being hit by ransomware actors. Similarly, Apple shipped a major patch in April 2023 to fix a pair of code execution flaws in its iOS, macOS, and iPadOS platforms.

The prevalence of zero-day vulnerabilities is a growing concern for organizations and individuals alike. According to data tracked by SecurityWeek, there have been 20 documented in-the-wild zero-day compromises so far this year, and 12 of them were in code from Microsoft, Apple, and Google. These vulnerabilities can have severe consequences, including data breaches, ransomware attacks, and system failures.

To reduce the risk of zero-day vulnerabilities, organizations, and individuals should implement best practices such as keeping their software up to date, using anti-virus and anti-malware software, and being cautious when opening emails and clicking links. It is also essential to have a backup strategy in place to mitigate the impact of a successful attack.