On 28 November 2023, the Google Chrome team released a Stable channel update (119.0.6045.199 for Mac and Linux and 119.0.6045.199/.200 for Windows), which addresses several high-severity vulnerabilities, including CVE-2023-6345, an integer overflow bug in the open-source 2D graphics library Skia. A public exploit for this vulnerability is actively being used in the wild.
Other flaws fixed in the latest update include the following high-severity issues that do not appear to be actively exploited at the time of the report:
CVE-2023-6348: Type Confusion in Spellcheck
CVE-2023-6347: Use-after-free in Mojo
CVE-2023-6346: Use-after-free in WebAudio
CVE-2023-6350: Out-of-bounds memory access in libavif
CVE-2023-6351: Use-after-free in libavif
The fix for Google Chrome vulnerabilities was released one day after the publication of a report from Hunters Security documenting a proof-of-concept dubbed "DeleFriend." This proof-of-concept exploits misconfigurations of Domain Wide Delegation in Google Workspace, posing a security risk to vulnerable instances. It enables privilege escalation and unauthorized access to Workspace APIs without Super Admin privileges. Notably, this new attack technique does not require the attacker to obtain Super Admin privileges. Instead, exploitation becomes possible by enumerating successful combinations of service account keys and OAuth scopes, allowing the attacker to identify an existing domain-wide delegation within the Identity and Access Management (IAM) policy and attempt a takeover.