Skip to main content

PSA: Update Chrome on Mac, as security flaw is being actively exploited

If you use Chrome on Mac, it’s strongly recommended to update it immediately, as a security flaw discovered by Google is being actively exploited by attackers. It could potentially allow personal data to be extracted from your Mac (the same issue also affects Chrome on Windows and Linux).

Google says it is aware of at least one real-life case of the exploit being used by a bad actor …

The US government’s National Institute of Standards and Technology (NIST) has rated the severity of the security issue as high.

Google has given the flaw the same rating.

High CVE-2023-6345: Integer overflow in Skia. Reported by Benoît Sevens and Clément Lecigne of Google’s Threat Analysis Group on 2023-11-24

The bug was discovered last week, but has now been found to be in active use.

Google is not yet revealing any details about how it works. This is standard practice: the company wants to ensure that the majority of users have updated before it reveals any details that might help an attacker exploit it.

The Verge notes the little we do know at this point.

What we do know is that CVE-2023-6345 is an integer overflow weakness that impacts Skia, the open-source 2D graphics library within the Chrome graphics engine. According to notes on the Chrome update, the exploit allowed at least one attacker to “potentially perform a sandbox escape via a malicious file.” Sandbox escapes can be utilized to infect vulnerable systems with malicious code and steal sensitive user data.

But essentially if an attacker can run arbitrary code on your Mac, there is a great deal they can do, even with Apple’s malware protections.

Google says the update rollout is taking place over time, but when I checked, my version of Chrome – set to automatically update – had already received it.

If you already have your Chrome browser set to update automatically then you may not need to take any action. For anyone else, it’s worth manually updating to the latest version (119.0.6045.199 for Mac and Linux and 119.0.6045.199/.200 for Windows) within the Google Chrome settings to avoid your system being left exposed. Google says the fix is rolling out “over the coming days/weeks,” so it may not be immediately available for everyone at the time of this writing.

Photo: Growtika/Unsplash

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear

Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications