Highlights:
- The vulnerability, CVE-2023-6345, is an integer overflow in Skia in Google Chrome before version 119.0.6045.199.
- Users, including organizations, are strongly advised to ensure they are running the latest version of Chrome on Windows, Mac, or Linux, as malicious files impact all previous versions of the browser.
Google LLC issued an emergency security update for its Chrome browser after uncovering a critical vulnerability that poses a potential threat to security.
The vulnerability, CVE-2023-6345, is an integer overflow in Skia in Google Chrome before version 119.0.6045.199. This flaw could enable a remote attacker who has compromised the renderer process to execute a sandbox escape through a malicious file. Skia is an open-source 2D graphics library crucial in rendering web pages within the Google Chrome browser.
Google’s Threat Analysis Group’s Benoît Sevens and Clément Lecigne identified and disclosed the vulnerability. Patches for six critical vulnerabilities, some of which were reported via the Chrome Vulnerability Reward Program, are also included in the Chrome update.
It is strongly advised that all users, including organizations, utilize the most recent iteration of Chrome on their respective operating systems (Windows, Mac, or Linux), due to the fact that the vulnerability impacts every version. Chrome users whose settings do not permit automatic updates must update their installations manually.
Lionel Litty, Chief Security Architect at browser security company Menlo Security Inc., said, “Organizations should focus on making sure their browser fleet is up-to-date and well-managed. Educate users and advise them to restart Chrome regularly so that they get updated. Audit what versions of Chrome you are seeing in your environment.”
Saeed Abbasi, Manager of Vulnerability and Threat Research at Qualys Inc., a cloud-based IT, security, and compliance solutions firm, cautions that “Chrome has become a prime target for attackers due to its widespread usage and integration into personal and professional spheres, providing access to a wealth of sensitive information.”
He added, “Despite stringent security measures, the browser’s complex codebase can lead to vulnerabilities. Additionally, the high commercial value of exploiting a widely used platform like Chrome attracts sophisticated attackers, including those backed by state sponsors. Organizations should prioritize regular updates and patch management to keep browsers up-to-date.”
Saeed Abbasi added that “employee training is essential to raise awareness about the dangers of outdated browsers” and recommended that “implementing network segmentation can restrict browser access to sensitive areas, reducing breach impacts.”