Google Swiftly Addresses Eighth Zero-Day Threat in Chrome with Emergency Patch

Google has released an emergency Stable Channel update to address a high-severity Chrome flaw, identified as the eighth zero-day vulnerability of the year. Discovered by researchers Clément Lecigne and Vlad Stolyarov of Google's Threat Analysis Group (TAG), the bug, known as CVE-2023-7024, manifests as a heap buffer overflow in WebRTC.

The patch, deployed on December 20, swiftly follows the flaw's report, showcasing the TAG team's rapid response. The Stable channel update includes version 120.0.6099.129 for Macs and Linux machines, and 120.0.6099.129/130 for Windows machines.

Joseph Carson, Chief Security Scientist and Advisory CISO at Delinea, highlighted the significance of such vulnerabilities due to Google Chrome's widespread usage. He emphasized that these vulnerabilities often result in a larger attack surface, given the platform's ubiquity across multiple systems and high-value targets.

Carson also acknowledged the positive aspect of Google's TAG team promptly identifying the vulnerability, leading to the rapid availability of the patch. However, he cautioned that the exploited nature of the vulnerability suggests potential compromises, urging users to identify and promptly patch targeted systems.

Aubrey Perin, Lead Threat Intelligence Analyst at Qualys Threat Research Unit, pointed out the broader implications of exploiting Chrome. He noted that even Microsoft Edge, utilizing Chromium, could be at risk due to the interconnected nature of these browsers, allowing bad actors a wider reach and posing a significant concern for user security.

Notably, Google has not disclosed technical details of the flaw or provided specifics about the observed attacks. Alongside CVE-2023-7024, Google addressed several other zero-day vulnerabilities exploited throughout the year, underscoring the critical importance of prompt updates and patching for users across various platforms