Update Google Chrome now - another zero-day security flaw has been found

News
By
published

TAG found a Google Chrome zero-day that's actively being abused in the wild

Google Chrome logo on desktop and mobile
(Image credit: Shutterstock)

If you’re a Google Chrome user, make sure to check for the latest update, because Google just patched its sixth zero-day vulnerability of the year. 

The vulnerability, stemming from an integer overflow weakness in the Skia open-source 2D graphics library, is being actively abused in the wild, so don’t wait to update your browser.

The vulnerability was discovered late last week by two security researchers working with Google’s Threat Analysis Group (TAG). This department is usually tasked with finding zero-day vulnerabilities in endpoints and tracking state-sponsored threat actors, so it’s safe to assume that at least one of the groups exploiting this flaw was state-sponsored.

Reader Offer: $50 Amazon gift card with demo

Reader Offer: $50 Amazon gift card with demo
Perimeter 81's Malware Protection intercepts threats at the delivery stage to prevent known malware, polymorphic attacks, zero-day exploits, and more. Let your people use the web freely without risking data and network security.

Preferred partner (What does this mean?

No further details

Google said it will not disclose more details about this vulnerability until the majority of the browsers have been updated. The earliest secure version is 119.0.6045.199/.200 for Windows users and 119.0.6045.199 for Mac and Linux users.

While Google usually rolls out the patch slowly across different regions, when we checked for updates, it was already available (version 119.0.6045.200). "Google is aware that an exploit for CVE-2023-6345 exists in the wild," the company said.

"Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed," the company said.

Withholding details is standard practice for vulnerabilities that are being actively exploited, as sharing more could motivate other attackers to develop their own malware. 

Google has so far fixed six zero-day vulnerabilities this year, including two that were addressed in September - CVE-2023-5217 and CVE-2023-4863. These two were also being abused in the wild, Google said at the time. 

Chrome is one of the world’s most popular browsers, making it an attractive target for criminals.

Via BleepingComputer

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.