Google Chrome Update Addresses Actively Exploited High-Severity Zero-Day Vulnerability
The most recent updates for Google Chrome address a vulnerability that enables attackers to execute malicious code on a user’s computer using a corrupted file.
Google is rolling out a security patch for its Chrome web browser that fixes a security flaw that could allow a malicious user to run dangerous code on a user’s computer. The update is available for Windows, macOS, and Linux computers and users should install the latest version in order to remain protected from the zero-day vulnerability — the sixth one to be patched by Google this year. The company is expected to provide more information once the update has been rolled out to several users.
Spotted by Android Central, the update to Google Chrome 119.0.6045.199 for macOS and Linux began rolling out to users earlier this week, alongside version 119.0.6045.200 for Windows computers with a fix for a zero-day vulnerability in tow. These are flaws that were previously unknown to the developers of the software, making them a target for malicious users.
With the latest Google Chrome update, the company has patched the security bug tracked by the National Institute of Standards and Technology (NIST) as CVE-2023-6345. While the company hasn’t revealed a great deal of information related to the security flaw, the firm says it knows that “an exploit for CVE-2023-6345 exists in the wild” in its release notes for the latest update. Users should enable automatic updates for Chrome or manually update to the latest versions in order to get the latest fixes.
Meanwhile, the NIST website has classified the vulnerability as “High” severity. According to the description, the issue is linked to the open-source Skia library utilized in Google Chrome. Exploiting this vulnerability, an attacker could leverage a malicious file to compromise the renderer process and evade the sandbox – a security mechanism designed to isolate the browser from the underlying system for enhanced protection.
Google credits the discovery of this vulnerability to Benoît Sevens and Clément Lecigne from its Threat Analysis Group (TAG). The flaw, identified on November 24, was promptly addressed by the company. Currently, it remains uncertain whether other browsers and applications based on Google’s open-source Chromium browser project are also susceptible to this flaw and when they can expect security updates.