Google Chrome issues emergency security update
On November 28, 2023, Google announced a Chrome security rollout for Mac, Linux, and Windows users in response to a critical “exploit.” In a Stable Channel Update, Google identified several high-impact security fixes for Chrome, including:
- CVE-2023-6348: Type confusion in Spellcheck.
- CVE-2023-6347: Use after free in Mojo.
- CVE-2023-6346: Use after free in WebAudio.
- CVE-2023-6350: Out of bounds memory access in libavif.
- CVE-2023-6351: Use after free in libavif.
- CVE-2023-6345: Integer overflow in Skia.
Of particular concern for users is CVE-2023-6345. Google’s Threat Analysis Group reported the CVE-2023-6345 vulnerability on November 24, 2023. The vulnerability is described by Google as an “integer overflow in Skia.” Skia is an open source 2D graphics library that is essentially the engine for Google Chrome graphics and other products. While Google confirmed that it was aware that a CVE-2023-6345 vulnerability existed, it did not provide further information related to the vulnerability nor how it impacts Skia and/or Chrome users.
According to the National Institute of Standards and Technology (NIST), CVE-2023-6345 allows an attacker the capability to remotely perform a sandbox escape via a malicious file. Additionally, the Cybersecurity and Infrastructure Security Agency (CISA) noted that this type of vulnerability is a frequent attack vector for malicious cybercriminals. CISA provided CVE-2023-6345 with a Common Vulnerability Scoring System (CVSS) score of 9.6 on a 10.0 scale. (A CVSS base score of 7.0 to 10.0 is considered high.)
To combat these vulnerabilities and potential exposure, Google is encouraging users, including corporations, to install the latest version of Chrome. Chrome should be updated to 119.0.6045.199 for Mac and Linux users and 119.0.6045.199/.200 for Windows users.
For more updates on data privacy law from McDonald Hopkins, please subscribe to receive our publications or view the links below for recent updates on other state data privacy legislative updates. And, if you have questions about your company’s compliance with cyber regulations, concerns about vulnerability to a ransomware attack or other breach, or if you want to learn more about proactive cybersecurity defense, contact a member of McDonald Hopkins’ national data privacy and cybersecurity team.