Google Chrome < 120.0.6099.224 — RCE
A type confusion bug in Chrome's WebRTC component lets an attacker run arbitrary code by getting a user to visit a malicious web page — no additional interaction needed.
An attacker can serve a malicious web page that exploits this vulnerability to execute arbitrary code in the context of the Chrome renderer process. Combined with a sandbox escape (separately available), this can lead to full system compromise. This vulnerability was confirmed exploited in the wild before the patch was released.
Google Chrome's WebRTC implementation contains a heap buffer overflow triggered by a type confusion bug in the media processing pipeline. WebRTC is used for video conferencing, screen sharing, and peer-to-peer communication and is enabled in all Chrome installations by default. The vulnerability can be triggered by a malicious web page without any user interaction beyond navigation.
📧
Phishing link
🖼
Malicious file
🔓
Server compromised
Probably yes if any of these apply:
Affected OS versions
CVE-2023-7024 was the eighth Chrome zero-day patched by Google in 2023, demonstrating the sustained exploitation of browser vulnerabilities against high-value targets. Servers used as jump hosts or RDS environments where users browse the web are at particular risk from zero-day browser exploits.
Manual remediation steps
⏱ 10 minutesCheck Current Version
(Get-ItemProperty 'HKLM:\SOFTWARE\Google\Chrome\BLBeacon').version
Update Chrome
Option 1 — Chrome Menu
Option 2 — Enterprise Update
# Force update check via Google Update
$googleUpdate = 'C:\Program Files (x86)\Google\Update\GoogleUpdate.exe'
if (Test-Path $googleUpdate) {
& $googleUpdate /ua /installsource scheduler
}
Verification
(Get-ItemProperty 'HKLM:\SOFTWARE\Google\Chrome\BLBeacon').version
# Must show 120.0.6099.224 or later
No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.
References