Google has launched a patch to repair the second zero-day vulnerability present in its Chrome browser (opens in new tab) this 12 months.
Very similar to the earlier menace, which was patched mere days in the past, this one too is being exploited within the wild, the corporate confirmed in a safety bulletin.
The vulnerability is tracked as CVE-2023-2136, and is described as a high-severity integer overflow bug present in Skia, Google’s open supply multi-platform 2D graphics library. Chrome makes use of Skia to render graphics, textual content, photographs, animations, and comparable BleepingComputer describes it as a “key part” of the browser’s rendering pipeline.
By abusing the flaw, a possible menace actor might drive the browser to render pages incorrectly, endure reminiscence corruption, and permit for arbitrary code execution. It’s the latter that’s most problematic, as that may permit unauthorized entry to the susceptible endpoint.
The flaw was found by Clément Lecigne of Google’s Menace Evaluation Group (TAG). TAG often hunts vulnerabilities and malware utilized by state-sponsored actors, so it wouldn’t be too extraordinary to take a position that this vulnerability was being abused by nation-state attackers.
That being mentioned, Google withheld additional particulars in regards to the flaw and its exploit till the vast majority of browser situations are patched.
“Entry to bug particulars and hyperlinks could also be saved restricted till a majority of customers are up to date with a repair,” the corporate mentioned. “We may even retain restrictions if the bug exists in a third-party library that different initiatives equally rely upon, however have not but fastened.”
To safe your browser in opposition to this exploit, be certain to deliver it as much as model 112.0.5615.137. This patch addresses eight vulnerabilities, in whole. At press time, the flaw is fastened for Home windows and Mac gadgets, whereas these engaged on Linux must wait a bit longer. Google says the repair for that OS is within the works and must be launched “quickly”.
Whereas Chrome often installs these patches robotically at begin, customers can set off it manually, too, by navigating to the Chrome menu (three horizontal dots within the higher proper nook), tapping Assist, and shifting to About Google Chrome.
By way of: BleepingComputer (opens in new tab)