Recent disclosures have brought attention to a highly significant vulnerability, known as CVE-2023-7024, which affects both Google Chrome and Microsoft Edge browsers across multiple devices. This vulnerability, with a CVSS score of 8.8/10, poses a serious threat as it allows remote attackers to execute malicious code on affected devices, potentially leading to malware infiltration or theft of sensitive data.

This particular vulnerability resides within WebRTC (Web Real-Time Communications), an open-source framework that facilitates real-time voice, text, and video communications between web browsers and devices. By exploiting heap corruption within the WebRTC framework, attackers can manipulate memory and exploit vulnerable versions of Chrome and Edge.

Understanding the complexities of heap memory corruption reveals the severity of this vulnerability. The heap, a dedicated memory block for an application, plays a crucial role. When intentionally or unintentionally corrupted, it can result in application crashes, data loss, and most importantly, security vulnerabilities. In this case, attackers can potentially exploit this vulnerability to execute remote code and compromise the security of affected devices.

The most likely attack vector involves enticing users with a carefully crafted webpage that takes advantage of the vulnerability in their web browser. This could be delivered through various channels such as SMS, email, third-party messaging platforms, or within mobile apps with messaging capabilities. By persuading victims to click on a link leading to the malicious webpage, attackers can initiate the exploit.

Versions Affected:

This vulnerability affects Chrome versions up to 120.0.6099.143 and Edge versions up to 120.0.2210.90. Devices operating on these versions are potentially at risk and should take immediate action to mitigate this threat.

Fix CVE-2023-7024:

Google has swiftly responded to the critical CVE-2023-7024 vulnerability in Chrome’s WebRTC by issuing urgent updates

  1. Immediate Update Deployment: Google swiftly responded to CVE-2023-7024 by releasing versions 120.0.6099.129 for Mac and Linux, and 120.0.6099.129/130 for Windows. Chrome users must prioritize manual updates, accessed via ‘Help’ > ‘About Google Chrome’, ensuring prompt installation of the latest version available.
  2. Enable Automatic Background Updates: For enhanced convenience and security, users can activate automatic background updates within Chrome’s settings. By navigating to ‘Settings’ > ‘Advanced’ > ‘Privacy & security’ and enabling ‘Use automatic background updates’, users ensure ongoing browser security without the need for manual intervention.
  3. Critical Vulnerability Mitigation: These specific browser versions effectively patch the vulnerability, preventing remote code execution and sandbox escapes. Timely installation of the update is paramount to proactively defend against potential exploitation by threat actors targeting this vulnerability.
  4. Activate Phishing & Content Protection (PCP): Safeguard against phishing attacks that exploit vulnerabilities by activating Lookout’s PCP.

By following these steps, you significantly strengthen the security of your Chrome browser, effectively safeguarding against the high-severity heap buffer overflow in the WebRTC component identified as CVE-2023-7024.

Reference:

https://chromereleases.googleblog.com/2023/12/stable-channel-update-for-desktop_20.html