Google has released a security update for the Chrome web browser to fix the second zero-day vulnerability that has been exploited in attacks this year.
“Google is aware that an exploit for CVE-2023-2136 exists in the wild,” reads the company’s security bulletin.
The new version is 112.0.5615.137 and fixes a total of eight vulnerabilities. The stable version is only available for Windows and Mac users, with the Linux version expected to roll out “soon”, Google says.
To manually initiate the process of updating Chrome to the latest version that resolves the actively exploited security issue, go to the Chrome settings menu (upper right corner) and select Help → About Google Chrome.
Otherwise, updates are installed the next time the browser is started without requiring user intervention. It is necessary to restart the application to complete the update.
No operating details
CVE-2023-2136 is a high-severity integer overflow vulnerability in Skia, an open source cross-platform 2D graphics library owned by Google written in C++.
Skia provides Chrome with a set of APIs for rendering graphics, text, shapes, images, and animations, and it’s considered a key part of the browser’s rendering pipeline.
Integer overflow bugs occur when an operation results in a value that exceeds the maximum for a given integer type, often resulting in unexpected software behavior or with security implications.
In the context of Skia, this can lead to incorrect rendering, memory corruption, and arbitrary code execution leading to unauthorized system access.
The vulnerability was reported by Clément Lecigne of Google’s Threat Analysis Group (TAG) earlier this month.
In keeping with its usual practice when fixing actively exploited flaws in Chrome, Google did not disclose many details about how CVE-2023-2136 was used in the attacks, leaving open to speculation the method of attack. operations and associated risks.
This allows users to update their software to the most secure version before sharing technical details that could allow hackers to develop their own exploits.
“Access to bug details and links may be restricted until a majority of users are updated with a fix,” reads the safety bulletin.
“We’ll also keep restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven’t yet fixed” – Google
Last Friday, Google released another emergency Chrome update for fix CVE-2023-2033the first actively exploited vulnerability in the browser discovered in 2023.
These flaws are typically exploited by advanced, mostly state-sponsored threat actors who target high-level individuals working in governments, the media, or other critical organizations. Therefore, all Chrome users are recommended to apply the available update as soon as possible.