CISA Warns of Active Exploitation of Chromium and Spreadsheet::ParseExcel

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical warning that underscores the ongoing battle against cyber threats. The agency recently added two significant vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, alerting users and federal agencies alike of the pressing need for immediate action.

The first vulnerability cataloged as CVE-2023-7024 and scoring a concerning 8.8 on the Common Vulnerability Scoring System (CVSS), poses a significant threat to users of the Google Chromium platform. This flaw is a heap-based buffer overflow bug within the WebRTC framework, a core component for real-time communication in modern browsers. If exploited, this vulnerability could result in program crashes or, more alarmingly, the execution of arbitrary code by an attacker.

Clément Lecigne and Vlad Stolyarov of Google’s Threat Analysis Group (TAG) have been credited with discovering and reporting the flaw on December 19, 2023. Users of Google Chrome are strongly advised to update their browsers to version 120.0.6099.129/130 for Windows, and version 120.0.6099.129 for macOS and Linux, to fortify their defenses against potential exploitation.

The second vulnerability, designated as CVE-2023-7101, lurks within the seemingly innocuous Spreadsheet::ParseExcel, a tool widely used for parsing Excel files. This vulnerability arises from the tool’s handling of unvalidated input, specifically through the evaluation of Number format strings within Excel’s parsing logic. The flaw enables remote code execution, a grave concern given the widespread use of Excel files in business and personal settings.

CISA’s advisory, particularly relevant for federal agencies, sets a deadline of January 23, 2024, for the implementation of necessary fixes. This highlights the urgency with which this vulnerability must be addressed to safeguard networks and data from malicious actors.