Overview
Recently, NSFOCUS CERT has monitored that Google Chrome has officially released security announcements and fixed several security vulnerabilities. The key vulnerabilities are as follows:
Google Chrome Cross Border Read Vulnerability (CVE-2023-4761):
Due to an out of bounds memory read vulnerability in Google Chrome FebCM, attackers who can disrupt the renderer process can perform out of bounds read operations through specially crafted HTML pages.
Google Chrome Type Confusion Vulnerability (CVS 2023-4762):
Due to type confusion errors in Google Chrome V8 components, remote attackers can trigger type confusion errors and execute arbitrary code on the target system by inducing victims to visit specially crafted web pages.
Reuse vulnerability after Google Chrome release (CVS 2023-4763):
Due to a post release usage flaw in the Google Chrome Networks component, remote attackers can exploit heap corruption vulnerabilities by inducing users to access malicious HTML pages, ultimately enabling the execution of arbitrary code on the target system.
Google Chrome Spoofing Vulnerability (CVS 2023-4763):
Due to the incorrect security UI in Google Chrome BFCache, remote attackers can spoof the content of multifunctional boxes (URL bars) through constructed HTML pages.
Reference link:
https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop.html
Scope of Impact
Affected version
- Google Chrome for Mac/Linux<116.0.5845.179
- Google Chrome for Windows<116.0.5845.179/180
Unaffected version
- Google Chrome for Mac/Linux>=116.0.5845.179
- Google Chrome for Windows>=116.0.5845.179/. 180
Mitigation
Currently, the official security version has been released to fix this vulnerability. It is recommended that affected users upgrade their protection in a timely manner: https://www.google.com/chrome/
Statement
This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.
About NSFOCUS
NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.
NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA).
A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.
