Critical Google Chrome security update to patch zero-day vulnerability released
What's the story
Google has rolled out a crucial security update for Chrome users on Mac, Linux, and Windows to tackle a zero-day vulnerability called CVE-2023-6345.
Discovered by Google's Threat Analysis Group on November 24, this vulnerability could expose systems to data theft and cyber-attacks.
Google confirmed in a Chrome stable channel update that they "are aware that an exploit for CVE-2023-6345 exists in the wild."
The firmware is available for some users, with a full rollout expected in the "coming days/weeks."
Definition
What is a zero-day vulnerability?
Zero-day vulnerability refers to a vulnerability in a device/system that has been disclosed but not yet patched. An exploit that attacks a zero-day vulnerability is known as zero-day exploit. Zero-day vulnerabilities are typically involved in targeted attacks.
Details
Details on the exploit and its impact
The CVE-2023-6345 vulnerability is an integer overflow issue affecting Skia, the open-source 2D graphics library within Chrome's graphics engine.
Based on the Chrome update notes, the exploit allowed at least one attacker to "potentially perform a sandbox escape via a malicious file."
Sandbox escapes can be used to infect vulnerable systems with harmful code and steal user data.
Google has not shared many details about the exploit, as tech companies often withhold information about vulnerabilities until they have been addressed.
What Next?
How to update your browser?
To protect your system from the exploit, it's essential to update your Chrome browser to the latest version (119.0.6045.199 for Mac and Linux and 119.0.6045.199/.200 for Windows).
If your browser updates automatically, you may not need to do anything. However, if you don't have automatic updates enabled, manually updating through Google Chrome settings is recommended.
Keep in mind that the fix is rolling out "over the coming days/weeks," so it might not be immediately available for everyone at this time.