Latest Chrome Update Patches a Critical Security Flaw

In case anyone thinks that Apple’s Safari browser is the only one to get hit with zero-day security vulnerabilities, Google also issued a critical security update for Chrome today that patches a problem in its own web rendering engine similar to what iOS 17.1.2 and its cohorts fixed in Safari’s WebKit framework.

A new stable update for Chrome announced this week includes seven security fixes, including one for which an exploit exists in the wild.

This means that if you’re a Google Chrome user, you should update your browser right away, whether on macOS, Windows, or Linux.

While keeping Chrome up to date on the iPhone and iPad is always a good idea, it’s less critical on those devices as Apple forces third-party browsers to use the same WebKit engine that powers Safari. This means that Chrome for iOS and iPadOS will share most of the same vulnerabilities that Safari does on those devices, which have been fixed in today’s iOS 17.1.2 release.

More specifically, Apple called out two vulnerabilities discovered in its WebKit frameworks by a security researcher with Google’s Threat Analysis Group (TAG). Reported as CVE-2023-42916 and CVE-2023-42917, the flaws in WebKit could allow a maliciously crafted webpage to access sensitive information or execute arbitrary code. To make matters worse, both had reportedly been actively exploited in the wild.

However, it turns out a similarly dangerous flaw has been found in Google’s Chrome browser. Discovered by Benoît Sevens and Clément Lecigne of TAG, the latter of whom is also credited with the discovery of the WebKit flaws, CVE-2023-6345 could “potentially perform a sandbox escape via a malicious file” on Chrome for macOS — and Google says it’s “aware that an exploit for [it] exists in the wild.”

In this case, a “sandbox escape” would allow code that could typically run only within the confines of the Chrome browser to affect other processes on your Mac. This could allow a hacker to siphon data from other apps or wreak general havoc on your Mac.

CVE-2023-6345 is triggered by an integer overflow in Skia, which is the 2D graphics library used by Chrome’s rendering engine. It’s not quite identical to the WebKit flaw since Chromium is a different kettle of fish, but it appears to be closely related. More importantly, it can lead to the same end result.

There are six other security fixes in the latest stable release, which is 119.0.6045.199 for Mac and Linux and 119.0.6045.199/.200 for Windows. These are all marked as high priority, but as far as Google knows, only CVE-2023-6345 has been exploited.

The good news for Chrome users is that this update should be applied automatically as long as you’ve restarted Chrome recently. That’s different from iOS updates, which sometimes take days or weeks to install automatically.

Still, you can check to confirm this by opening your Chrome settings and going to About Chrome on the left sidebar. You’ll see the current version shown near the top and should see a “Relaunch” or “Update Now” button if an update is available and waiting to be installed.