In case anybody thinks that Apple’s Safari browser is the one one to get hit with zero-day safety vulnerabilities, Google additionally issued a important safety replace for Chrome at present that patches an issue in its personal internet rendering engine much like what iOS 17.1.2 and its cohorts mounted in Safari’s WebKit framework.
A brand new steady replace for Chrome introduced this week contains seven safety fixes, together with one for which an exploit exists within the wild.
Which means that in the event you’re a Google Chrome person, it is best to replace your browser immediately, whether or not on macOS, Home windows, or Linux.
Whereas conserving Chrome updated on the iPhone and iPad is at all times a good suggestion, it’s much less important on these gadgets as Apple forces third-party browsers to make use of the identical WebKit engine that powers Safari. Which means that Chrome for iOS and iPadOS will share many of the similar vulnerabilities that Safari does on these gadgets, which have been mounted in at present’s iOS 17.1.2 launch.
Extra particularly, Apple referred to as out two vulnerabilities found in its WebKit frameworks by a safety researcher with Google’s Risk Evaluation Group (TAG). Reported as CVE-2023-42916 and CVE-2023-42917, the issues in WebKit might permit a maliciously crafted webpage to entry delicate data or execute arbitrary code. To make issues worse, each had reportedly been actively exploited within the wild.
Nonetheless, it seems a equally harmful flaw has been present in Google’s Chrome browser. Found by Benoît Sevens and Clément Lecigne of TAG, the latter of whom can also be credited with the invention of the WebKit flaws, CVE-2023-6345 might “doubtlessly carry out a sandbox escape by way of a malicious file” on Chrome for macOS — and Google says it’s “conscious that an exploit for [it] exists within the wild.”
On this case, a “sandbox escape” would permit code that would sometimes run solely throughout the confines of the Chrome browser to have an effect on different processes in your Mac. This might permit a hacker to siphon information from different apps or wreak basic havoc in your Mac.
CVE-2023-6345 is triggered by an integer overflow in Skia, which is the 2D graphics library utilized by Chrome’s rendering engine. It’s not fairly an identical to the WebKit flaw since Chromium is a distinct kettle of fish, however it seems to be intently associated. Extra importantly, it may result in the identical finish end result.
There are six different safety fixes within the newest steady launch, which is 119.0.6045.199 for Mac and Linux and 119.0.6045.199/.200 for Home windows. These are all marked as excessive precedence, however so far as Google is aware of, solely CVE-2023-6345 has been exploited.
The excellent news for Chrome customers is that this replace needs to be utilized robotically so long as you’ve restarted Chrome not too long ago. That’s totally different from iOS updates, which generally take days or even weeks to put in robotically.
Nonetheless, you may examine to verify this by opening your Chrome settings and going to About Chrome on the left sidebar. You’ll see the present model proven close to the highest and will see a “Relaunch” or “Replace Now” button if an replace is obtainable and ready to be put in.