Google released yet another update for the Chrome browser, eliminating the second 0-day vulnerability in the last seven days. It is reported that an exploit already exists for the fresh issue, and hackers used it.
The new 0-day problem received the identifier CVE-2023-2136 and was corrected in version 112.0.5615.137, which removed a total of eight vulnerabilities. While the stable release is available only for Windows and Mac users, the Linux version will be released “soon” (Google does not mention the exact dates).I’ll remind you that we also reported that Google Releases Urgent Patch for Chrome Fixing 0-Day under Attack, and also that Chrome Extensions Installed 1.4 million Times Spoofed User Cookies.
IT-specialists warned that North Korean hackers exploited a 0-day bug in Chrome.
It is known that CVE-2023-2136 was discovered by Google Threat Analysis Group (TAG) experts at the beginning of the current month. The problem is related to full conversion to Skia, Google’s open-source multiplatform 2D graphics library written in C++. Skia provides Chrome with a set of API-interfaces for rendering graphics, text, figures, images and animation and is considered a key component for rendering.
A vulnerability in the context of Skia can lead to incorrect rendering, damage to information in memory, and execution of arbitrary code, which will eventually grant an attacker access to the system.
As usual, Google does not disclose any details about vulnerabilities under attack, giving users the opportunity to update their browser to a safe version before attackers can create their own exploits for the new bug.
At the end of last week, Google already fixed the 0-day vulnerability CVE-2023-2033 in its browser, which was described as a type confusion problem in the JavaScript V8 engine. This was the first zero-day problem identified in the browser in 2023.
Chrome users are recommended to update the browser to version 112.0.5615.121 as soon as possible, as it removes the CVE-2023-2033 vulnerability in Windows, Mac and Linux.
Google warned that an exploit for CVE-2023-2033 already exists and is being used by attackers, but they did not share additional technical details or indicators of compromise so that the use of the bug did not become widespread.
