Google Detects Second Zero-Day Chrome Exploit, Days After Patching Another Bug
Hackers have been spotted abusing another serious flaw in Chrome, days after Google patched a separate "zero day" vulnerability in the browser that was under active exploitation.
On Tuesday, Google issued a security bulletin(Opens in a new window) that mentioned the newly discovered Chrome vulnerability, CVE-2023-2136, which has been given a “high severity" rating.
“Google is aware that an exploit for CVE-2023-2136 exists in the wild,” the company warned.
There are not a lot of details about the vulnerability. For now, Google describes it as an “integer overflow” involving the open-source Skia graphics engine, which is used by Chrome.
The official CVE report adds(Opens in a new window) that exploiting the flaw “allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.” This could pave a way for the hacker to access additional computing processes to run untrusted malicious code on a computer, potentially spreading an infection.
Despite the lack of details, it’s possible the flaw was exploited in tandem with another zero-day vulnerability Google patched last Friday, called CVE-2023-2033, which involved a bug in the V8 JavaScript engine for the browser.
The company uncovered both flaws through Clément Lecigne, a security researcher on Google’s Threat Analysis Group team, which is devoted to tracking the most fearsome hacking groups and uncovering zero-day vulnerabilities. Interestingly, Lecigne uncovered CVE-2023-2033 on April 11 and then CVE-2023-2136 on April 12.
Both flaws can also be exploited through specially created HTML pages. Unrelated or not, this suggests the two vulnerabilities were used in attacks that involved delivering malicious
Read more on pcmag.com
