Threat actors are exploiting Chromium in a big way this week with multiple vulns that were originally fixed in Chrome, including a heap corruption attack requiring no privileges to exploit. All but the latest versions could lead to remote attackers exposing you to malware or executing arbitrary code on your computer. Chrome and Chromium users should update immediately to be protected against more than a dozen security fixes.

WordPress has had a questionable security history, but what happens when we add on predictive analysis detection and automated remediation to find and fix new and known vulnerabilities? We put a few strategies to the test to find the best way to secure your WordPress install, and this one emerged as highly effective.

Continue reading to learn about other significant issues that have been fixed, including high-impact vulnerabilities discovered in the Go programming language that could lead to buffer overflow attacks, uncontrolled memory consumption, or the execution of arbitrary code, and an important use-after-free vulnerability in WebKitGTK that could lead to arbitrary code execution resulting in system compromise, malware propagation, privilege escalation, and data theft and sabotage.

Yours in Open Source,

Brittany Signature 150

Chromium

The Discovery 

Several serious security vulnerabilities have been discovered in the Chromium open-source web browser, the most severe being a remotely exploitable high-impact type confusion bug (CVE-2023-2033).

Chromium

The Impact

These flaws could enable a remote attacker with no privileges to exploit heap corruption via a crafted HTML page, exposing you to malware or executing arbitrary code on your computer.

The Fix

With a low attack complexity, no privileges required to exploit, and a high confidentiality, integrity and availability impact, it is crucial that all impacted users apply the Chromium updates issued but their distro(s) immediately to protect against attacks leading to downtime and system compromise.

Your Related Advisories:

Register to Customize Your Advisories

Go

The Discovery 

Multiple significant issues were discovered in the Go programming language, including a code injection bug in the go command (CVE-2020-28367). It was also discovered that Go has a buffer overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used (CVE-2021-38297). Many of these vulnerabilities have a National Vulnerability Database (NVD) severity rating of “High” or “Critical”.

Go

The Impact

These high-impact vulnerabilities could lead to buffer overflow attacks, uncontrolled memory consumption, and the execution of arbitrary code, among other threats to the confidentiality, integrity and availability of your systems.

The Fix

A Go security update has been released that mitigates these flaws. We urge all impacted users to apply the Go updates issued but their distro(s) now to secure against exploits leading to compromise.

Your Related Advisories:

Register to Customize Your Advisories

WebKitGTK

The Discovery 

An important use-after-free vulnerability that may have been actively exploited has been found in the WebKitGTK port of the portable web rendering engine WebKit to the GTK platform (CVE-2023-28205). This bug has received a National Vulnerability Database (NVD) base score of 8.8 out of 10 (“High” severity) due to its high confidentiality, integrity and availability impact, and the low attack complexity required to exploit it.

Webkitgtk

The Impact

This flaw could result in arbitrary code execution resulting in system compromise, malware propagation, privilege escalation, and data theft and sabotage.

The Fix

An important security update for WebKitGTK is now available that addresses this issue with improved memory management. We strongly recommend that all impacted users apply the latest WebKitGTK updates issued by their distro(s) as soon as possible to secure their systems and their sensitive data against potential harm.

Your Related Advisories:

Register to Customize Your Advisories