On Tuesday, Google implemented urgent patches to address a critical zero-day vulnerability in its Chrome web browser, which is currently under active exploitation. The specific flaw, identified as CVE-2023-2136, involves an integer overflow within the open-source 2D graphics library Skia.
Discovered by Clément Lecigne of Google’s Threat Analysis Group on April 12, 2023, this vulnerability permits a remote attacker with control over the renderer process to potentially escape the sandbox environment via a specially crafted HTML page. The U.S. National Vulnerability Database detailed that this flaw affects Google Chrome before version 112.0.5615.137.
Interestingly, this marks the second identified zero-day vulnerability exploited this year in Chrome, following Google’s recent patch for CVE-2023-2033. As cyber attackers become more sophisticated, the connection—if any—between these two vulnerabilities remains undetermined. Google has acknowledged ongoing exploitation of the CVE-2023-2136 vulnerability but has withheld additional details to mitigate risks of further breaches.
To address these security concerns, Google advises users to update to version 112.0.5615.137/138 on Windows, 112.0.5615.137 on macOS, and 112.0.5615.165 on Linux. Additionally, those utilizing Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are urged to apply the relevant patches when available.
These vulnerabilities highlight the pressing need for business owners and IT professionals to remain vigilant about cybersecurity measures. The active exploitation of CVE-2023-2136 illustrates the potential use of tactics under the MITRE ATT&CK framework, including initial access and privilege escalation, which are integral for attackers aiming to compromise system integrity.
In light of these developments, organizations should not only ensure their systems are updated promptly but also consider implementing layered defenses to minimize potential attack vectors. Collaborating with cybersecurity experts and enhancing incident response strategies could prove crucial in navigating this evolving threat landscape.