What you need to know
- Researchers from Google' Threat Analysis Group discovered a zero-day vulnerability in Google Chrome on Nov. 24.
- Google issued an update today for Chrome on Mac, Linux, and Windows to patch the security vulnerability.
- Google says it is aware that the vulnerability was actively exploited.
On Tuesday, Google started the rollout of a Chrome security patch to fix its sixth zero-day vulnerability in the browser this year. The issue has a Chromium security severity of "high," according to the National Vulnerability Database, which is tracking the bug as CVE-2023-6345.
Although users should install the update as soon as possible, some might have to wait. Google said in the update's release notes that the fix could arrive in the coming days or weeks. However, Android Central was able to install the update on macOS immediately.
The fix is being sent out to Google Chrome browsers on Windows, Linux, and macOS. Chrome users on macOS and Linux will get version 119.0.6045.199, while users on Windows will get either version 119.0.6045.199 or 119.0.6045.200.
In the release notes for the patch, Google said it "is aware that an exploit for CVE-2023-6345 exists in the wild." That means you should update your browser immediately to prevent any bugs or cybersecurity threats. Issues resulting from this security flaw can be as critical as arbitrary code execution or as simple as app crashes.
Though we don't have many details about the vulnerability yet, we do know it is related to Google's Skia graphics library. Skia is open-source and is used in Chrome, among other Google apps and software, like ChromeOS. An integer overflow error within Skia in Chrome could allow remote hackers to do a sandbox escape with a malicious file, making the execution of arbitrary code possible.
Google, like all tech companies, will not release more information on the security flaw until it is patched by the majority of Chrome users. Details may take longer to come out if the vulnerability affects third-party programs. This is because a detailed explanation of the flaw could make it easier for malicious attackers to exploit it against Chrome users who haven't updated yet.
Researchers from Google's Threat Analysis Group found CVE-2023-6345 on Nov. 24. The patch was issued starting Tuesday (Nov. 28), although it's unclear how long the flaw may have been exploited before it was addressed.
People who have automatic updates for Google Chrome enabled may not need to take any additional action. To check if you still need to manually apply the update, open your Google Chrome settings, click the About Chrome tab, and click Update Google Chrome. If you don't see the option to update, you're on the latest version.