Google patches another critical Chrome security fix
Google has released a patch to fix the second zero-day vulnerability found in its Chrome browser this year.
Much like the previous threat, which was patched mere days ago, this one too is being exploited in the wild, the company confirmed in a security bulletin.
The vulnerability is tracked as CVE-2023-2136, and is described as a high-severity integer overflow bug found in Skia, Google’s open source multi-platform 2D graphics library. Chrome uses Skia to render graphics, text, images, animations, and similar BleepingComputer describes it as a “key component” of the browser’s rendering pipeline.
Allowing access
By abusing the flaw, a potential threat actor could force the browser to render pages incorrectly, suffer memory corruption, and allow for arbitrary code execution. It’s the latter that’s most problematic, as that might allow unauthorized access to the vulnerable endpoint.
The flaw was discovered by Clément Lecigne of Google’s Threat Analysis Group (TAG). TAG usually hunts vulnerabilities and malware used by state-sponsored actors, so it wouldn’t be too extraordinary to speculate that this vulnerability was being abused by nation-state attackers.
That being said, Google withheld further details about the flaw and its exploit until the majority of browser instances are patched.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” the company said. “We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven’t yet fixed.”
To secure your browser against this exploit, make sure to bring it up to version 112.0.5615.137. This patch addresses eight vulnerabilities, in total. At press time, the flaw is fixed for Windows and Mac devices, while those working on Linux will have to wait a little longer. Google says the fix for that OS is in the works and should be released “soon”.
While Chrome usually installs these patches automatically at start, users can trigger it manually, too, by navigating to the Chrome menu (three horizontal dots in the upper right corner), tapping Help, and moving to About Google Chrome.
- Here’s our list of the best endpoint protection services today
Via: BleepingComputer