Google has responded to an active exploit of a zero-day vulnerability, marking the eighth time in 2023 that the company has addressed such a threat in its Chrome browser. The specific vulnerability, identified as CVE-2023-7024, is a high-severity heap buffer overflow issue in WebRTC (Web Real-Time Communication), an open-source project that enables real-time communication through web browsers. The exploit was reported by Clément Lecigne and Vlad Stolyarov of Google’s Threat Analysis Group (TAG), a unit focused on protecting Google customers from state-sponsored attacks.
The exploit allows threat actors to corrupt the memory of the browser’s WebRTC component, potentially leading to remote code execution. While Google has released emergency updates (version 120.0.6099.129 for Windows and version 120.0.6099.129/130 for Mac and Linux) to address the vulnerability, users are advised to ensure that their Chrome browsers are updated to the latest version to mitigate the risk.
Google is aware that the CVE-2023-7024 vulnerability has been exploited in the wild, but as is customary, the company has not disclosed specific details about the attacks. This approach is intended to prevent malicious actors from gaining insights into the vulnerability and developing their own exploits before users can apply the necessary updates. Users are urged to update their Chrome browsers promptly to protect against potential security threats.
The discovery and swift response to this zero-day exploit highlight the ongoing challenges in maintaining the security of widely-used web browsers. Browser vendors continually work to identify and patch vulnerabilities, and users play a crucial role in their own security by promptly applying updates to mitigate the risk of exploitation. As threats evolve, collaboration between security researchers, threat analysts, and browser developers remains essential to stay ahead of potential risks and protect users’ online experiences.
