Google Issues Another Emergency Security Patch For Billions Of Chrome Users, Update Now

Chrome browser running on a Samsung tablet.
For the second time this year (and in less than a week) Google has issued an emergency security patch for billions of Chrome browser users. Left uninstalled, the browser is vulnerable to a zero-day security flaw that is known to be actively exploited in the wild. Suffice to say you'll want to install this one sooner than later.

This is not to be confused with the zero-day flaw we wrote about last weekend, for which there was also an emergency patch issued. That one (CVE-2023-2033) was labeled as a 'type confusion' bug in the JavaScript engine for Chromium browsers using the V8 JavaScript engine. Unpatched, it could allow for memory to be read out of bounds, resulting in browser crashes and/or the execution of arbitrary code on targeted devices.

Screenshot of CVE-2023-2136

Now less than a week later, Google is calling attention to a 'High' level security flaw (CVE-2023-2136) labeled as an integer overflow vulnerability in Skia, which is Google's open-source 2D graphics library. Written in C++, Skia provides various APIs that work across multiple platforms and serves as the graphics engine for Chrome (as well as ChromeOS, Android, and more products).

Integer overflows have numerous implications. In this case, it could theoretically lead to things like rendering errors or, as with the previous zero-day flaw, execution of arbitrary code on a victim's PC. We don't know for sure what the full extent of the risk is because Google keeps the finer grain details under lock and key until a majority of users have updated their browsers. However, it is noted that left unpatched the flaw allows a "remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page."

Once again, credit is given to Clément Lecigne of Google's Threat Analysis Group (TAG) for bringing the vulnerability to attention.

That's not the only reason to install the patch, though. The emergency update includes a total of eight security fixes, several of which carry a 'High' severity rating. The ones that came by way of external researchers include...
  • [$8000][1429197] High CVE-2023-2133: Out of bounds memory access in Service Worker API. Reported by Rong Jian of VRI on 2023-03-30
  • [$8000][1429201] High CVE-2023-2134: Out of bounds memory access in Service Worker API. Reported by Rong Jian of VRI on 2023-03-30
  • [$3000][1424337] High CVE-2023-2135: Use after free in DevTools. Reported by Cassidy Kim(@cassidy6564) on 2023-03-14
  • [$NA][1432603] High CVE-2023-2136: Integer overflow in Skia. Reported by Clément Lecigne of Google's Threat Analysis Group on 2023-04-12
  • [$1000][1430644] Medium CVE-2023-2137: Heap buffer overflow in sqlite. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Vulnerability Research Institute on 2023-04-05
The figures at the beginning represent the bug bounty value that was paid to the researcher who discovered the flaw. Rong Jian of VRI scored a decent pay day for the two bugs outlined above, which ended up being worth a combined $16,000.

If you're running Chrome, you can initiate an update by clicking on the three vertical dots in the upper-right corner and navigating to Help > About Google Chrome. Otherwise, it should update automatically the next time you close and re-open Chrome.