A critical security update is now available for some Chrome users on Mac, Linux, and Windows that patches a zero-day vulnerability that could make systems susceptible to data theft and other cyberattacks. On Tuesday, Google confirmed in a Chrome stable channel update that it “is aware that an exploit for CVE-2023-6345 exists in the wild.” The vulnerability was discovered on November 24th by two security researchers working within Google’s Threat Analysis Group (TAG).
Google hasn’t released many details about the CVE-2023-6345 exploit yet, but that’s to be expected. As Android Central notes, Google, like many tech companies, often opts to keep information about vulnerabilities under wraps until they’ve been largely addressed, as detailed information could make it easier for attackers to exploit unprotected Chrome users. It isn’t clear how long the vulnerability had been actively exploited prior to its discovery last week.
What we do know is that CVE-2023-6345 is an integer overflow weakness that impacts Skia, the open-source 2D graphics library within the Chrome graphics engine. According to notes on the Chrome update, the exploit allowed at least one attacker to “potentially perform a sandbox escape via a malicious file.” Sandbox escapes can be utilized to infect vulnerable systems with malicious code and steal sensitive user data.
If you already have your Chrome browser set to update automatically, then you may not need to take any action. For anyone else, it’s worth manually updating to the latest version (119.0.6045.199 for Mac and Linux and 119.0.6045.199/.200 for Windows) within the Google Chrome settings to avoid your system being left exposed. Google says the fix is rolling out “over the coming days/weeks,” so it may not be immediately available to everyone at the time of this writing.