If you use Chrome on Mac, it’s strongly recommended to update it immediately, as a security flaw discovered by Google is being actively exploited by attackers. It could potentially allow personal data to be extracted from your Mac (the same issue also affects Chrome on Windows and Linux).
Google says it is aware of at least one real-life case of the exploit being used by a bad actor …
The US government’s National Institute of Standards and Technology (NIST) has rated the severity of the security issue as high.
Google has given the flaw the same rating.
High CVE-2023-6345: Integer overflow in Skia. Reported by Benoît Sevens and Clément Lecigne of Google’s Threat Analysis Group on 2023-11-24
The bug was discovered last week, but has now been found to be in active use.
Google is not yet revealing any details about how it works. This is standard practice: the company wants to ensure that the majority of users have updated before it reveals any details that might help an attacker exploit it.
The Verge notes the little we do know at this point.
What we do know is that CVE-2023-6345 is an integer overflow weakness that impacts Skia, the open-source 2D graphics library within the Chrome graphics engine. According to notes on the Chrome update, the exploit allowed at least one attacker to “potentially perform a sandbox escape via a malicious file.” Sandbox escapes can be utilized to infect vulnerable systems with malicious code and steal sensitive user data.
But essentially if an attacker can run arbitrary code on your Mac, there is a great deal they can do, even with Apple’s malware protections.
Google says the update rollout is taking place over time, but when I checked, my version of Chrome – set to automatically update – had already received it.
If you already have your Chrome browser set to update automatically then you may not need to take any action. For anyone else, it’s worth manually updating to the latest version (119.0.6045.199 for Mac and Linux and 119.0.6045.199/.200 for Windows) within the Google Chrome settings to avoid your system being left exposed. Google says the fix is rolling out “over the coming days/weeks,” so it may not be immediately available for everyone at the time of this writing.
FTC: We use income earning auto affiliate links. More.
Comments