Google has released a security update for its Chrome web browser to address the second zero-day vulnerability discovered to be exploited in attacks this year. The company stated in a security bulletin, "Google is aware that an exploit for CVE-2023-2136 exists in the wild." The new version of Chrome, 112.0.5615.137, fixes a total of eight vulnerabilities and is currently available for Windows and Mac users. The Linux version will be released "soon," according to Google. To update Chrome manually, users can head to the settings menu and select Help → About Google Chrome. Otherwise, updates will be installed automatically the next time the browser starts, without requiring user intervention. A relaunch of the application is necessary to complete the update.
CVE-2023-2136 is a high-severity integer overflow vulnerability in Skia, a Google-owned open-source multi-platform 2D graphics library written in C++. Skia provides Chrome with APIs for rendering graphics, text, shapes, images, and animations, making it a crucial component of the browser's rendering pipeline. Integer overflow bugs occur when an operation results in a value that surpasses the maximum for a given integer type, potentially leading to unexpected software behavior or security implications. In the context of Skia, this vulnerability might result in incorrect rendering, memory corruption, and arbitrary code execution, ultimately granting unauthorized system access. The vulnerability was reported by Clément Lecigne of Google's Threat Analysis Group (TAG) earlier this month.
As per Google's standard practice when fixing actively exploited flaws in Chrome, the company has not revealed many details about how CVE-2023-2136 was used in attacks, keeping the exploitation method and related risks a matter of speculation. This approach allows users to update their software to a safer version before sharing technical details that could enable threat actors to develop their own exploits. The security bulletin states, "Access to bug details and links may be kept restricted until a majority of users are updated with a fix." Google also mentioned that they will maintain restrictions if the bug exists in a third-party library that other projects similarly rely on but have not yet fixed.
Last Friday, Google released another emergency Chrome update to address CVE-2023-2033, the first actively exploited vulnerability in the browser discovered in 2023. Such flaws are often leveraged by advanced threat actors, typically state-sponsored, who target high-profile individuals in governments, media, or other critical organizations. It is recommended that all Chrome users apply the available update as soon as possible.