Google rolls out urgent security update for zero-day vulnerability in Chrome

Google has released an urgent security update to address a new zero-day vulnerability, CVE-2023-6345, found in Google Chrome, which is currently being exploited in active attacks. The patch has been globally released for Windows (version 119.0.6045.199/.200) and Mac/Linux (version 119.0.6045.199) users on the Stable Desktop channel. However, Google warns that it could take days or weeks for the update to reach all users.

The vulnerability, a high-severity zero-day, is due to an integer overflow issue in the Skia open-source 2D graphics library. This issue can lead to system crashes or the execution of random code, and it has been used in spyware attacks. The Skia graphics library, where the flaw was discovered, is also utilized by Chrome OS, Android, and Flutter. The remaining vulnerabilities address issues like use after free, out-of-bounds memory access, and type confusion in components like spellchecking, WebAudio, and libavif.

Google has limited access to the zero-day's details until most users have updated their browsers to prevent threat actors from developing their own exploits. If third-party software also affected by the vulnerability remains unpatched, access to bug details will be restricted longer. In that sense, we should expect that other browsers based on Chromium like Microsoft Edge, Brave, Opera, and Vivaldi, will also release updates addressing these vulnerabilities soon. In the meantime, you could take a look at the most widely known non-Chromium-based alternative, Mozilla Firefox, or two of its more popular forks LibreWolf and Pale Moon