Google wants desktop and mobile Chrome users to deploy a security fix for a vulnerability known to be exploited by threat actors in the wild.
A heap buffer overflow in Chrome’s real-time communication module has been exploited by malicious actors to target vulnerable users, the web giant said in an advisory yesterday.
Tracked as CVE-2023-7024, this WebRTC bug has enabled targeted attacks in the wild, as found by Clément Lecigne and Vlad Stolyarov of Google's Threat Analysis Group the day prior.
An attacker typically exploits such security holes to steal sensitive data from the target device, as well as run malware that can capture keystrokes, record video or take photos using the device’s cameras, record audio using the built-in mic, etc.
“Google is aware that an exploit for CVE-2023-7024 exists in the wild,” reads the notice.
Google’s TAG team periodically make such findings, recently attributing attacks to state-sponsored actors deploying spyware on vulnerable devices of high-profile individuals.
This week’s update – available to all desktop users on Windows, Mac and Linux, as well as to Android users – squarely focuses on addressing this single weakness, making it an emergency fix for everyone using Chrome as their default web browser.
The iPhone and iPad versions of Chrome are unaffected at this point. However, Apple wages its own battle with state-sponsored hackers targeting its platforms, periodically issuing OS fixes to plug holes exploited by spyware operators.
If you use Chrome, it is strongly recommended that you install this fix as soon as you can. On desktop, go to Settings -> About Chrome, let the browser fetch the update for you, and then close and relaunch Chrome. You’ll want version 120.0.6099.129 on Mac and Linux, and 120.0.6099.129/130 on Windows.
On Android, you’ll want version 120.0.6099.144. Simply visit the Google Play store, check for updates, and download the newly patched Chrome on your smartphone.
Attacks that leverage zero-day exploits are usually highly targeted, but users shouldn’t be complacent, regardless of their occupation or status. As a rule of thumb, stay on the safe side and patch as soon as possible. Consider deploying a dedicated security solution on all your personal devices to stay safe from online threats at all times.