Google has released an emergency security update for its Chrome browser that fixes a critical security issue that is already being exploited by malicious users.
Chrome users should immediately update their stable version of the browser to the new version to protect themselves from potential attacks.
This is easily done on desktop systems: just open chrome://settings/help internally and wait for it to find and download the Chrome update. The page also shows the installed version, which should be the following after installing the update:
Chrome on Linux or Mac systems: 116.0.5845.187
Chrome on Windows devices: 116.0.5845.187 or 116.0.5845.188
Chrome Extended Stable for Mac: 116.0.5845.187
Chrome Extended Stable for Windows: 116.0.5845.188
Google has not yet released the security update for Android Stable, only for Android Early Stable.
Google has provided some information about the critical Chrome security flaw on the official Chrome Releases blog. This is a buffer overflow vulnerability in WebP.
WebP is an image format that “provides superior lossless compression for images on the Web,” according to Google. Google reports that WebP images are on average 26% smaller in size compared to PNG images and between 25% and 34% smaller than JPEG images.
WebP is a common image format on the Internet. While Google doesn't offer additional details about the vulnerability, it does warn users that the vulnerability is already in use.
The security gap, CVE-2023-4863, is the fourth 0day vulnerability that Google fixed in Chrome in 2023. The 0days fixed in total were:
- CVE-2023-2033 – Type Confusion in V8 (Chrome 112)
- CVE-2023-2136 – Integer overflow in the Skia graphics library (Chrome 112)
- CVE-2023-3079 – Type Confusion in V8 (Chrome 114)