Governance & Risk Management
,
Patch Management
Exploit for WebRTC Exists in the Wild
Google rolled out security updates Wednesday for its Chrome web browser to fix a critical vulnerability exploited in the wild.
See Also: 10 Belt-Tightening Tips for CISOs to Weather the Downturn
“Google is aware that an exploit for CVE-2023-7024 exists in the wild,” Chrome’s security advisory said.
The zero-day vulnerability is a heap-based buffer overflow bug in the open-source WebRTC framework.
WebRTC is a critical component that allows real-time communication and data exchange between different browsers and devices. It focuses on audio and video traffic, allowing developers to build voice- and video-communication solutions. WebRTC provides software developers with application programming interfaces written in JavaScript.
Clément Lecigne and Vlad Stolyarov of Google’s Threat Analysis Group discovered and reported the flaw.
It marks the eighth Chrome zero-day of the year. Lecigne in September reported another heap-based buffer overflow zero-day that was fixed but was “in use by a commercial surveillance vendor,” at the time (see: Chrome Patches 0-Day Exploited by Commercial Spyware Vendor).
Details of the latest zero-day are scarce as “access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Google said. Google is trying to reduce the likelihood of threat actors developing newer exploits by not disclosing complete technical information. Data from cybersecurity firm Qualys stated that 25% of the high-risk security vulnerabilities discovered in 2023 had been immediately targeted for exploitation, “with the exploit being published on the same day as the vulnerability itself was publicly disclosed.”