Uh-oh, update Google Chrome – exploit already out there for one of these 6 security holes

Google has rolled out six Chrome security fixes including one emergency patch for a bug for which exploit code is already out there. You’re encouraged to thus grab the latest updates for the browser.

This latest zero-day flaw, tracked as CVE-2023-6345, is a high-severity integer overflow vulnerability in Skia, a popular graphics library used by Chrome. To exploit this bug, an attacker would need to have already compromised the renderer process, at which point they may be able to perform a sandbox escape via a malicious file. 

“Google is aware that an exploit for CVE-2023-6345 exists in the wild,” according to the Chocolate Factory.

Google doesn’t provide a whole lot of detail about the bug, nor any details about who may be exploiting it and to what nefarious end.

It does note, however, that Benoît Sevens and Clément Lecigne, both members of Google’s Threat Analysis Group (TAG), found and reported the vulnerability, which indicates it could have been abused to deploy spyware on victims’ machines — TAG tracks more than 30 commercial spyware vendors selling exploits and surveillance tools.

Meanwhile, networking kit vendor Zyxel issued patches for six vulnerabilities, including three critical 9.8-rated bugs that could allow an unauthenticated attacker to execute some operating system (OS) commands on network-attached storage (NAS) products.

The vulnerabilities include:

  • CVE-2023-35138 (CVSS 9.8), a command injection vulnerability in the “show_zysync_server_contents” function.
  • CVE-2023-4473 (CVSS 9.8), a command injection vulnerability in the web server.
  • CVE-2023-4474 (CVSS 9.8), improper neutralization of special elements in the WSGI server.
  • CVE-2023-37927 (CVSS 8.8), improper neutralization of special elements in the CGI program. 
  • CVE-2023-37928 (CVSS 8.8), a post-authentication command injection bug in the WSGI server.
  • CVE-2023-35137 (CVSS 7.5), an improper authentication flaw in the authentication module.

The flaws affect model NAS326, versions 5.21(AAZF.14)C0 and earlier, and can be fixed by updating firmware to V5.21(AAZF.15)C0; and model NAS542, versions 5.21(ABAG.11)C0 and earlier, which should be updated to V5.21(ABAG.12)C0 for the patch.

In late 2021, Citizen Lab found an integer overflow bug in Apple iMessage being abused to drop Pegasus spyware on a Saudi Arabian activist’s phone.

We’d highly suggest updating your Chrome browser as soon as possible to avoid any unwanted flying horses for the holidays.

In addition to the CVE with exploit code in the wild, the latest Chrome release addresses five other high-severity flaws. These include a type confusion vulnerability in spellcheck tracked as CVE-2023-6348 and an out-of-bounds memory access bug in libavif tracked as CVE-2023-6350.

Additionally, Google pushed patches for three use-after-free flaws: one in Mojo tracked as CVE-2023-6347, and one in WebAUdio tracked as CVE-2023-6346, and one in libavif tracked as CVE-2023-6351.

Google isn’t aware of any in-the-wild exploits for these issues. ®