Google has issued an urgent update to address a recently discovered vulnerability in Chrome that has been under active exploitation in the wild, marking the eighth zero-day vulnerability identified for the browser in 2023.

Identified as CVE-2023-7024, Google said the vulnerability is a significant heap buffer overflow flaw within Chrome’s WebRTC module that allows remote code execution (RCE).

WebRTC is an open source initiative enabling real-time communication through APIs, and enjoys widespread support among the leading browser makers.

How CVE-2023-7024 Threatens Chrome Users

Lionel Litty, chief security architect at Menlo Security, explains that risk from exploitation is the ability to achieve RCE in the renderer process. This means a bad actor can run arbitrary binary code on the user’s machine, outside of the JavaScript sandbox.

However, real damage relies on using the bug as the first step in an exploit chain; it needs to be combined with a sandbox escape vulnerability in either Chrome itself or the OS to be truly dangerous.

“This code is still sandboxed due to the multiprocess architecture of Chrome though,” Litty says, “so with just this vulnerability an attacker cannot access the user’s files or start deploying malware, and their foothold on the machine goes away when the impacted tab is closed.”

He points out Chrome’s Site Isolation feature will generally protect data from other sites, so an attacker can’t target the victim’s banking information, although he adds there are some subtle caveats here.

For example, this would expose a target origin to the malicious origin if they use the same site: In other words, a hypothetical malicious.shared.com can target victim.shared.com.

“While access to the microphone or camera requires user consent, access to WebRTC itself does not,” Litty explains. “It is possible this vulnerability can be targeted by any website without requiring any user input beyond visiting the malicious page, so from this perspective the threat is significant.”

Aubrey Perin, lead threat intelligence analyst at Qualys Threat Research Unit, notes that the reach of the bug extends beyond Google Chrome.

“The exploitation of Chrome is tied to its ubiquity — even Microsoft Edge uses Chromium,” he says. “So, exploiting Chrome could also potentially target Edge users and allow bad actors a wider reach.”

And it should be noted that Android mobile devices using Chrome have their own risk profile; they put multiple sites in the same renderer process in some scenarios, especially on devices that do not have a lot of RAM.

Browsers Remain a Top Cyberattack Target

Major browser vendors have recently reported a growing number of zero-day bugs — Google alone reported five since August.

Apple, Microsoft, and Firefox are among the others that have disclosed a series of critical vulnerabilities in their browsers, including some zero-days.

Joseph Carson, chief security scientist and Advisory CISO at Delinea, says it’s no surprise that government sponsored hackers and cybercriminals target the popular software, constantly searching for vulnerabilities to exploit.

“This typically leads to a larger attack surface due to the software’s widespread usage, multiple platforms, high-value targets, and usually opens the door to supply chain attacks,” he says.

He notes these types of vulnerabilities also take time for many users to update and patch vulnerable systems.

“Therefore, attackers will likely target these vulnerable systems for many months to come,” Carson says.

He adds, “As this vulnerability is being actively exploited, it likely means that many users systems have already been compromised and it would be important to be able to identify devices that have been targeted and quickly patch those systems.”

As a result, Carson notes, organizations should investigate sensitive systems with this vulnerability to determine any risks or potential material impact.

Source: www.darkreading.com