Google has released a security update for the Chrome web browser to fix the second zero-day vulnerability found to be exploited in attacks this year.
“Google is aware that an exploit for CVE-2023-2136 exists in the wild,” reads the security bulletin from the company.
The new version is 112.0.5615.137 and fixes a total of eight vulnerabilities. The stable release is available only for Windows and Mac users, with the Linux version to roll out “soon,” Google says.
To start the Chrome update procedure manually to the latest version that addresses the actively exploited security issue, head to the Chrome settings menu (upper right corner) and select Help → About Google Chrome.
Otherwise, the updates are installed the next time the browser starts without requiring user intervention. Relaunching the application is required to complete the update.
No exploitation details
CVE-2023-2136 is a high-severity integer overflow vulnerability in Skia, a Google-owned open-source multi-platform 2D graphics library written in C++.
Skia provides Chrome with a set of APIs for rendering graphics, text, shapes, images, and animations, and it is considered a key component of the browser’s rendering pipeline.
Integer overflow bugs occur when an operation results in a value that exceeds the maximum for a given integer type, often leading to unexpected software behavior or having security implications.
In the context of Skia, it might lead to incorrect rendering, memory corruption, and arbitrary code execution that leads to unauthorized system access.
The vulnerability was reported by Clément Lecigne of Google’s Threat Analysis Group (TAG) earlier this month.
Following its standard practice when fixing actively exploited flaws in Chrome, Google has not disclosed many details about how CVE-2023-2136 was used in attacks, leaving open to speculation the exploitation method and related risks.
This is to allow users to update their software to the safer version before sharing technical details that could enable threat actors to develop their own exploits.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” reads the security bulletin.
“We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed” – Google
Last Friday, Google released another emergency Chrome update to fix CVE-2023-2033, the first actively exploited vulnerability in the browser discovered in 2023.
These flaws are typically leveraged by advanced threat actors, most of the time state-sponsored, who target high-profile individuals working in governments, media, or other critical organizations. Therefore, it is recommended that all Chrome users apply the available update as soon as possible.