Google has released a new critical security update for its Chrome browser. Google says the update, which is available for macOS and several other platforms, contains a fix for a zero-day exploit.
The Stable channel has been updated to 119.0.6045.199 for Mac and Linux and 119.0.6045.199/.200 for Windows, which will roll out over the coming days/weeks.
Google urges all users of the Google Chrome browser and other browsers based on the Chromium engine to ensure the latest update is installed and activated.
In a Chrome stable channel update announcement, published November 28, Google confirms it “is aware that an exploit for CVE-2023-6345 exists in the wild.”
CVE-2023-6345 other than it is an integer overflow issue impacting the Skia component. Skia, an open-source 2D graphics library, is part of the Chrome graphics engine.
According to VulnDB “the product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value.” This can lead to confidentiality, integrity and availability issues. Such holding back of full technical detail is not unusual in cases where attackers are already exploiting a vulnerability.
Mike Walters, president and co-founder of risk-based patch management vendor Action1, says. “It’s worth noting that Google released a patch for a similar integer overflow flaw (CVE-2023-2136) in the same component in April 2023. Since that flaw was also actively exploited as a zero-day, there is a possibility that the purpose of the CVE-2023-6345 patch is to prevent attackers from bypassing the former update.”
Other Fixes in the Update
- This update includes 7 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information.
- [N/A][1491459] High CVE-2023-6348: Type Confusion in Spellcheck. Reported by Mark Brand of Google Project Zero on 2023-10-10
- [$31000][1494461] High CVE-2023-6347: Use after free in Mojo. Reported by Leecraso and Guang Gong of 360 Vulnerability Research Institute on 2023-10-21
- [$10000][1500856] High CVE-2023-6346: Use after free in WebAudio. Reported by Huang Xilin of Ant Group Light-Year Security Lab on 2023-11-09
- [$7000][1501766] High CVE-2023-6350: Out of bounds memory access in libavif. Reported by Fudan University on 2023-11-13
- [$7000][1501770] High CVE-2023-6351: Use after free in libavif. Reported by Fudan University on 2023-11-13
- [N/A][1505053] High CVE-2023-6345: Integer overflow in Skia. Reported by Benoît Sevens and Clément Lecigne of Google’s Threat Analysis Group on 2023-11-24
Check That Your Browser Has Updated Now
In Chrome settings, click the About Chrome tab, and click Update Google Chrome. If there is no option to update, you are already on the latest version.