top of page
  • Clipeus

Google Chrome And Workspace Require Attention

On 28 November 2023, the Google Chrome team released a Stable channel update (119.0.6045.199 for Mac and Linux and 119.0.6045.199/.200 for Windows), which addresses several high-severity vulnerabilities, including CVE-2023-6345, an integer overflow bug in the open-source 2D graphics library Skia. A public exploit for this vulnerability is actively being used in the wild.

Other flaws fixed in the latest update include the following high-severity issues that do not appear to be actively exploited at the time of the report:

  • CVE-2023-6348: Type Confusion in Spellcheck

  • CVE-2023-6347: Use-after-free in Mojo

  • CVE-2023-6346: Use-after-free in WebAudio

  • CVE-2023-6350: Out-of-bounds memory access in libavif

  • CVE-2023-6351: Use-after-free in libavif

The fix for Google Chrome vulnerabilities was released one day after the publication of a report from Hunters Security documenting a proof-of-concept dubbed "DeleFriend." This proof-of-concept exploits misconfigurations of Domain Wide Delegation in Google Workspace, posing a security risk to vulnerable instances. It enables privilege escalation and unauthorized access to Workspace APIs without Super Admin privileges. Notably, this new attack technique does not require the attacker to obtain Super Admin privileges. Instead, exploitation becomes possible by enumerating successful combinations of service account keys and OAuth scopes, allowing the attacker to identify an existing domain-wide delegation within the Identity and Access Management (IAM) policy and attempt a takeover.


Commenting has been turned off.

If you are interested in specifics or additional insights on the threats above or any other threat, please visit our dedicated service page or reach out to with your inquiry. We would be glad to assist you

bottom of page