A vulnerability could allow hackers to crash Google’s browser, and even steal users’ personal data, if not more.
Chrome developers have had to work hard this year. The most popular browser in the world has, in fact, been the subject of several urgent updates, all concerning zero-day flaws.
The latest, listed under the name CVE-2023-6345 and reported on November 24, opens a major breach in Internet users’ devices, and could affect software other than Google Chrome, or even… operating systems .
Crash Chrome to access user data
If you use Google’s browser, it is in your best interest to check the version installed on your computer now. Indeed, the firm has just urgently launched a patch to fill a flaw affecting, once again, the Skia 2D graphics engine, which allows Chrome to crash and launch arbitrary code. A good opportunity for pirates, many of whom must already be looking into the subject. It is therefore advisable to update this software as soon as possible.
The version concerned is the 119.0.6045.199/.200 for Windows, and 119.0.6045.199 for macOS and Linux. Your browser should quickly install this patch on its own, depending on your settings, of course. If Chrome can’t find this update for you yet, don’t panic: Google says its deployment will take several days or weeks to reach all users.
A flaw used for espionage campaigns?
CVE-2023-6345 was discovered by Benoît Sevens and Clément Lecigne of Google’s Threat Analysis Group (TAG). This research department is renowned for spotting zero-day vulnerabilities often exploited by states as part of espionage campaigns, for example. Although Google is not saying more about the current impact of this flaw, it is already being used by malicious actors, and therefore certainly not by just any malicious actors.
However, you will have to wait a little to find out more. “ Access to bug details and links may be restricted until the majority of users have received a patch », Explains Google. “ We will also maintain restrictions if the bug exists in a third-party library that other projects depend on, but has not yet been fixed “.
Indeed, Skia is also used by ChromeOS and Android. If the Chrome flaw can also be exploited on these two operating systems, it could put even more devices at risk. It’s now up to Google to make sure this doesn’t happen.
Source : BleepingComputer
1