Google rushes out patch for Chrome zero-day with exploit available in the wild

Other Chromium-based browsers are also vulnerable to the flaw in the Skia graphics library

Google rushes out patch for Chrome zero-day with exploit available in the wild

Image:
Google rushes out patch for Chrome zero-day with exploit available in the wild

Google security researchers patched an obscure hole in the Chromium engine that powers most web browsers yesterday, three days after they discovered that it had been exploited by hackers.

The vulnerability, which allows hackers to get access to the machines of people using Microsoft Edge, Google Chrome and dozens of other browsers powered by the Chromium web engine, had been exploited by hackers, and the exploit method exists in the wild, they said.

Google's crack software security team, The Threat Analysis Group, announced the exploit on private security channels when it emerged on 24th November as the means by which hackers had already cracked Chrome.

Google patched the hole upon announcing the zero-day vulnerability yesterday, but said it would take days and weeks for the fix to spread through the software ecosystem to actually update people's browsers. The hole meanwhile sits in the browsers of an estimated four billion people.

Google did not say what hackers had used it to break into whose systems, nor what they had managed to achieve before the alert was raised last Friday. Nor did they say what chance other hackers realistically had of exploiting the weakness with common tools and skills.

But the severity of the risk was "high", meaning hackers could potentially use it to snatch sensitive data, disrupt services, launch ransomware attacks on corporations, and cripple critical national infrastructure. Security news services noted that the firm had now found seven zero-day vulnerabilities in its browser already this year. Such flaws are usually discovered by teams of security researchers working the world over to find them before hackers do.

Google and the security community will keep the full details under wraps until they are sure the patch has finished propagating across the billions of flawed browsers around the world.

Its technical description of the software flaw yesterday said only that it was discovered when a "remote hacker" had "compromised the renderer process" in its Chrome browser, and had "potentially" used the flaw to plant a "malicious file" that allowed them to break out of the "security sandbox" that usually prevents activity related to the browser software from touching other parts of the computer system running it.

They found the flaw (tracked as CVE-2023-6345) in the open-source Skia graphics library, the software Chrome uses to draw the 2D images that display browser windows to users: buttons, text, images, menus, animations and so on. As an "integer overflow" bug, it would allow hackers to cause a browser to crash and let them break in.

Like many other zero-day exploits the hack was devilishly complex, and of a sort often attributed to state-sponsored actors seeking to break into computer systems of government, national infrastructure, officials and journalists.

Hackers would first have to find some other flaw they could use to compromise the browser's render process, then to target the Skia library with a tailored attack to cause its memory to run over and crash, then to inject malicious software, then to cause that malicious software to break out of the browsers' security sandbox, and finally to actually use that access to do damage or steal secrets.

The flaw that likely allowed hackers to break Chrome's rendering process was reported by Fudan University in Shanghai, China, almost a fortnight before the exploit emerged as a mature attack and Google seems to have begun work on the patch it released yesterday.

That flaw (tracked as CVE-2023-6351and made public in a security alert with even less fanfare yesterday) allowed hackers to compromise the render process if they got users to open or view an avif image file, a format for compressing image files to a smaller size, which they had infected with malicious code.

Both vulnerabilities were fixed in the 119.0.6045.199 Chromium update Google released yesterday. Microsoft patched its Edge browser with the fixes yesterday as well.