Google has just had to release a Chrome update comprised of multiple emergency security updates because of zero-day vulnerabilities - for the fourth time this year.
Zero-day vulnerabilities in software (in this case, Chrome) are vulnerabilities that are already known to the wider public and assumed to be known by bad actors. It’s also assumed those bad actors are either actively trying to or already exploiting those vulnerabilities. The "zero-day" refers to developers having zero days ahead of the wider audience in terms of knowing about and being able to address the bug. Here’s what is known about this particular zero-day loophole so far:
The vulnerability has been labelled CVE-2023-4863 by Google, and according to Help Net Security, it’s a ‘critical heap buffer overflow vulnerability’ in Chrome’s code. It explains that buffer overflows can cause crashes and infinite loops, and these moments of overwhelm can be exploited to deploy arbitrary code.
Google brought this issue to attention in its Chrome Releases blog, where the Chrome team publishes news directly. SecurityWeek reports that the exploit was rated as “critical severity”.
Raising the alarm about the vulnerability
Google was informed of this bug by Apple Security Engineering and Architecture (SEAR) and the University of Toronto’s Citizen Lab last week. Citizen Lab works to find exploits like zero-day vulnerabilities that are utilized in targeted spyware attacks from government-endorsed malicious actors looking to harm people like opposition politicians, journalists, and dissidents around the world. It also often investigates and informs on commercial spyware providers.
Google has confirmed that the vulnerability has been taken advantage of in the wild, but it hasn’t provided much information about the bug beyond that. The reasoning for this is probably that Google would like to roll out the patched version update to at least a majority of Chrome users before disclosing any more details, in order to prevent any more exploits from being created.
What Google recommends Chrome users to do next
The newly patched updated version of Chrome is currently being made available to the Stable and the Extended Stable release channels for updates. Google is aiming to get the patch update to all users in the coming weeks. AS well as this, Google has also announced that it has introduced weekly updates for Chrome, so even outside of emergencies, your Chrome browser is being updated (including security-wise) regularly.
Google urges users to install this update as soon as possible; this means version 116.0.5845.187 for Mac and Linux, and 116.0.5845.187/.188 for Windows. This should patch CVE-2023-4863.
BleepingComputer writes that this update was already available when it reported the story, and I have found the same to be true. It will require that you restart your browser, but Chrome should also save your session to reopen upon its restart. You can prompt your browser to update by following these steps:
1. Go to the three dot icon in the top right of your Chrome ribbon.
2. Hover to Help and let the drop-down menu appear.
3. Select About Google Chrome.
The top of this section should detail if you’re able to update your browser or not. Your Chrome browser should then check for updates and install them automatically. Finally, it will ask you to relaunch your browser.
This is a pretty worrying development, but Chrome does also enjoy the biggest user base of any browser. The other end of that stick is that it's one of the most alluring caches of user information for hostile actors to try and shake.
It responded proactively and rolled out an update very quickly, and that's the standard we expect from a tech behemoth like Google. Good for it for meeting high expectations.
