This week three zero-day vulnerabilities have been announced and should be addressed immediately.
Google released an update for Chrome stating there were 7 security fixes. One of these is CVE-2023-6345, a Skia integer overflow flaw in Google Chrome versions 119.0.6045.199 and older. NIST states a remote attacker “compromised the renderer process to potentially perform a sandbox escape via a malicious file.” This vulnerability is currently under investigation with little information released. We suggest keeping an eye out for new information released from NIST and Google and investigate your environment accordingly. While waiting for more information please require all end users to update their Chrome browsers immediately.
Additionally, Google’s Threat Analysis Group (TAG) found zero-day vulnerabilities in Apple iOS’ WebKit which is used in multiple Apple apps included Apple Mail and Safari. These vulnerabilities are CVE-2023-42916 and CVE-2023-42917. If you have end users using iPads or iPhones distributed by the organization or under a BYOD policy, they should be updated immediately.