Hackers Are Exploiting A Security Flaw Affecting Billions Of Chrome Users, Patch ASAP
If you're using a Chrome browser—and chances are high that you are, simply based on Chrome's dominant market share—stop what you're doing and initiate an update to the latest version. Yes, you should be receiving Chrome updates on an automatic basis, but the newest build patches a bunch of alarming security vulnerabilities, including one that Google confirmed is being actively exploited in the wild.
That being the case, it's best not to take your chances with waiting for Chrome to push out the newest build. Even when it does fetch updates, you still have to manually reload Chrome in order to apply the patch. That's mainly notable for people who, like this author, keep Chrome open and either leave their PC running 24/7 or put it into sleep mode when not in use.
Google highlighted the actively exploited zero-day flaw in a stable channel update this week, along with half a dozen other security fixes, all of which carry a 'High' severity rating. Here are the others, along with the accompanying bug bounty reward where applicable.
- [N/A] High CVE-2023-6348: Type Confusion in Spellcheck. Reported by Mark Brand of Google Project Zero on 2023-10-10
- [$31000] High CVE-2023-6347: Use after free in Mojo. Reported by Leecraso and Guang Gong of 360 Vulnerability Research Institute on 2023-10-21
- [$10000] High CVE-2023-6346: Use after free in WebAudio. Reported by Huang Xilin of Ant Group Light-Year Security Lab on 2023-11-09
- [$7000] High CVE-2023-6350: Out of bounds memory access in libavif. Reported by Fudan University on 2023-11-13
- [$7000] High CVE-2023-6351: Use after free in libavif. Reported by Fudan University on 2023-11-13
- [N/A] High CVE-2023-6345: Integer overflow in Skia. Reported by Benoît Sevens and Clément Lecigne of Google's Threat Analysis Group on 2023-11-24
As for the aforementioned zero-day vulnerability, Google notes it is "aware that an exploit for CVE-2023-6345 exists in the wild." But what exactly is it? The full details have not been published because, as is policy, Google refrains from divulging such things until most users have had a chance to update their browser (and thereby be protected from the flaw). What we do know, however, is that it's an integer overflow in Skia.
"Integer overflow in Skia in Google Chrome prior to 119.0.6045.199 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a malicious file," the description reads in the National Vulnerability Database.
Skia is an open-source 2D graphics library that handles common APIs to ensure Chrome runs smooth on different hardware and software platforms. Google acquired Skia in 2005. In addition to the Chrome browser, Skia is implemented in Android, ChromeOS, Firefox, and several other products.
The bottom line is, you should update your Chrome browser to the latest build to be protected from the security threats that Google outlined. To do that, click on the three vertical dots in the upper-right corner and navigate to Help > About Google Chrome.
Chrome will then begin downloading and installing the latest build, which as of this writing is 119.0.6045.200 in Windows. Be sure to hit the Relaunch button when it's finished. Chrome will take note of what windows and tabs you have open and load them back up, but you'll also want to save any work before doing so (like if you're typing in a CMS, for example).