UPDATED 19:46 EDT / NOVEMBER 29 2023

SECURITY

Google rolls out emergency update for Chrome after critical vulnerability found

Google LLC has released an emergency security update for its Chrome browser following the discovery of a critical vulnerability that could open the door to attacks.

The vulnerability, tracked as CVE-2023-6345, is described as an integer overflow in Skia in Google Chrome before version 119.0.6045.199 that allows a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a malicious file. Skia is an open-source 2D graphics library that powers the rendering of web pages in Google Chrome.

The vulnerability was discovered and reported by Benoît Sevens and Clément Lecigne from Google’s Threat Analysis Group. The update to Chrome also includes patches for six high-severity vulnerabilities, some of which had been reported through the Chrome Vulnerability Reward Program.

Users, including organizations, are being urged to ensure that they are running the latest version of Chrome, whether on Windows, Mac, or Linux, as the vulnerability affects all versions. Users who do not have Chrome set to allow for automatic updates should manually update their installations.

“Organizations should focus on making sure their browser fleet is up-to-date and well-managed,” Lionel Litty, chief security architect at browser security company Menlo Security Inc., told SiliconANGLE. “Educate users and advise them to restart Chrome regularly so that they get updated. Audit what versions of Chrome you are seeing in your environment.”

Saeed Abbasi, manager of vulnerability and threat research at cloud-based information technology, security and compliance solutions firm Qualys Inc., warns that “Chrome has become a prime target for attackers due to its widespread usage and integration into personal and professional spheres, providing access to a wealth of sensitive information.”

“Despite stringent security measures, the browser’s complex codebase can lead to vulnerabilities,” he said. “Additionally, the high commercial value of exploiting a widely used platform like Chrome attracts sophisticated attackers, including those backed by state sponsors. Organizations should prioritize regular updates and patch management to keep browsers up-to-date.”

Abbasi added that “employee training is essential to raise awareness about the dangers of outdated browsers” and suggested that “implementing network segmentation can restrict browser access to sensitive areas, reducing breach impacts.”

Image: DALL-E 3

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU