Google Chrome Hit by Second Zero-Day Attack
Google on Tuesday rolled out an emergency fix to address a high-severity zero-day flaw that was being actively exploited in its Chrome web browser.
Defect, tracked as CVE-2023-2136is explained as a case integer overflow in the skis, an open source 2D graphics library. Clément Lecigne of Google’s Threat Analysis Group (TAG) has been credited with finding and reporting the flaw on April 12, 2023.
“Integer overflow in Skia on Google Chrome prior to 112.0.5615.137 allowed a remote attacker that had compromised the renderer process to potentially sandbox escape through the rendered HTML page,” according to to the National Vulnerability Database (NVD) NIST.
The tech giant, which also fixed seven other security issues with the latest update, said it was aware of active exploitation of the flaw, but did not disclose additional details to prevent further abuse.
The development marks the second Chrome zero-day vulnerability exploited by bad actors this year, and comes just days after Google patched CVE-2023-2033 last week. It wasn’t immediately clear whether the two zero-days had been chained together as part of an in-the-wild attack.
Users are advised to upgrade to versions 112.0.5615.137/138 for Windows, 112.0.5615.137 for macOS, and 112.0.5615.165 for Linux to mitigate potential threats. Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera and Vivaldi are also advised to apply the fix when it becomes available.
