A high-severity zero day vulnerability in the Google Chrome browser is being actively exploited in the wild. The vulnerability is tracked as CVE-2023-7024 and is a heap buffer overflow in the WebRTC framework. The open source WebRTC framework is used by many web browsers to give them real-time communication capabilities.
The vulnerability was identified by Clément Lecigne and Vlad Stolyarov of Google’s Threat Analysis Group (TAG) on December 19, 2023, and a patch was rolled out the following day. Google confirmed that it is aware of a public exploit for the flaw, but it is unclear to what extent the flaw has been exploited. No further details about the vulnerability have been released at this stage. The details will only be released when a majority of users have updated to the latest, fixed version of the browser; however, Google said that when vulnerabilities are identified in third-party components that other projects depend on, the restrictions on disclosure will remain in effect. The vulnerabilities have been addressed in Chrome version 120.0.6099.129/130 for Windows and 120.0.6099.129 for macOS and Linux. The update will be applied automatically for users who have configured Chrome to automatically update to the latest version.
This is the 8th actively exploited zero-day vulnerability in Chrome to be resolved in 2023. The other exploited zero-days this year include 2 integer overflow vulnerabilities in Skia (CVE-2023-2136 & CVE-2023-6345), 3 type confusion vulnerabilities in V* (CVE-2023-2033, CVE-2023-3079 & CVE-2023-4762), a heap buffer overflow in WebP (CVE-2023-4863), and a heap buffer overflow in vp9 encoding in libvpx (CVE-2023-5217).
Zero day vulnerabilities in Chrome are often exploited by nation-state actors to install spyware on the devices of persons of interest, such as dissidents, journalists, human rights activists, and opposition politicians. Qualys reported on December 20, 2023, that 26,447 vulnerabilities have been disclosed in 2023 – an increase of 1,500 from 2022. Over 7,000 of those vulnerabilities have proof-of-concept exploit code, and 206 have weaponized exploit code available. 115 vulnerabilities have been routinely exploited by threat actors, malware, and ransomware groups.