Google has released an emergency security update for its Chrome browser to address multiple vulnerabilities [2], including a critical zero-day vulnerability that is actively being exploited. This update is crucial for users to protect their systems from potential attacks.
Description
The critical zero-day vulnerability, known as CVE-2023-6345 [2], is an integer overflow weakness in the Skia open-source 2D graphics library used in Chrome [1]. If successfully exploited [1], a remote attacker could crash the browser or execute arbitrary code [1]. In addition to this, the update also includes fixes for six other high-severity vulnerabilities [2], such as type confusion in Spellcheck, use after free in Mojo and WebAudio [3], and out of bounds memory access in libavif [3].
To ensure the security of their systems, users are strongly advised to upgrade their Chrome browser to the latest version and enable automatic updates [1]. The latest version after the update should be 119.0.6045.199 for Mac and Linux [4], and 119.0.6045.199/200 for Windows [4]. It is recommended to close the browser during the update process.
The severity rating of the high-severity vulnerabilities indicates that the flaws are limited to the browser, but successful exploitation could potentially expose information about visited websites [4]. Given the widespread usage of Chrome, it has become a prime target for attackers [2]. Therefore, organizations should prioritize regular updates and patch management [2]. Employee training and network segmentation can also help mitigate risks [2].
Users of other Chromium-based browsers and software utilizing Skia should also remain vigilant for similar updates [4]. Staying informed and promptly applying necessary updates is crucial to maintaining the security of these systems.
Conclusion
The emergency security update released by Google for its Chrome browser addresses critical vulnerabilities [2], including a zero-day vulnerability actively exploited by attackers. Upgrading to the latest version and enabling automatic updates is strongly advised to protect against potential attacks. Organizations should prioritize regular updates [2], patch management [2], employee training [2], and network segmentation to mitigate risks [2]. Users of other Chromium-based browsers and software utilizing Skia should also remain vigilant for similar updates [4].
References
[1] https://www.csa.gov.sg/alerts-advisories/alerts/2023/al-2023-151
[2] https://siliconangle.com/2023/11/29/google-rolls-emergency-update-chrome-critical-vulnerability-found/
[3] https://www.helpnetsecurity.com/2023/11/29/cve-2023-6345/
[4] https://www.malwarebytes.com/blog/news/2023/11/update-now-chrome-fixes-actively-exploited-zero-day-vulnerability
