Google has released an update for the Chrome web browser during the night, which addresses at least one critical security vulnerability. This vulnerability allows attackers to smuggle in and execute malicious code.
In total, the update includes fixes for twelve security vulnerabilities, as stated in Google's release notes. Apparently, only six of these vulnerabilities were reported by external IT security researchers, as only brief descriptions are available for them. Accordingly, at least one of the vulnerabilities is critical, four pose a high security risk, and one is classified by Google's developers as a moderate threat.
Google Chrome: Critical Vulnerability
The most severe vulnerability addressed by the new browser version is a use-after-free type in the navigation component. In this scenario, the program code mistakenly accesses released resources, the content of which becomes undefined and may potentially contain or reference malicious code. The developers explain in the CVE entry that it involves heap memory corruption, which attackers can potentially exploit "by means of a manipulated website" (CVE-2023-2721, no CVSS score yet, risk classified as "critical" by Google).
Among the listed high-risk vulnerabilities, three are also use-after-free weaknesses in the Autofill-UI, DevTools, and Guest-View components (CVE-2023-2722, CVE-2023-2723, CVE-2023-2725, no CVSS score, high risk). In the V8 JavaScript engine, a type confusion error can occur, where mismatched data types can unintentionally lead to access of unintended memory areas (CVE-2023-2724, no CVSS score, high risk).
The flaws are patched in Chrome versions 113.0.5672.121 for iOS, 113.0.5672.126 for Linux and Mac, and 113.0.5672.126/.127 for Windows. Meanwhile, the extended stable version of the web browser for Mac and Windows is updated to version 112.0.5615.204.
Checking the Version
To determine if the current version is already active on your computer, click on the symbol with three stacked dots located to the right of the address bar, then go to "Help" - "About Google Chrome." This will open the version dialog, which displays the currently running version and initiates the update process if necessary.
Under Linux, updates are typically delivered through the distribution's own software management system. Therefore, users should check for updates within their software management and apply them when available. Since the vulnerabilities affect the underlying Chromium project, web browsers based on Chromium, such as Microsoft Edge, are likely to release updates soon as well. Users should promptly install those updates too.
Google recently updated the Chrome web browser two weeks ago, addressing 15 vulnerabilities. Additionally, the update to version 113 introduced support for WebGPU, making Chrome the first browser to implement this feature.
No comments yet