You Should Update Chrome Right Now (Again)

Attention Chrome and Chromium-browser users: Your internet activity is vulnerable to cyberattacks, unless you update to the latest version of your browser.

On Tuesday, Google announced on the Chrome Releases blog that a new version of Chrome, 119.0.6045.199 for Mac and Linux and 119.0.6045.199/.200 for Windows, is available, and patches seven different security vulnerabilities. All of these discovered issues are rated as "high" in severity, but Google only names six of them:

• High CVE-2023-6348: Type Confusion in Spellcheck. Reported by Mark Brand of Google Project Zero on 2023-10-10

• High CVE-2023-6347: Use after free in Mojo. Reported by Leecraso and Guang Gong of 360 Vulnerability Research Institute on 2023-10-21

• High CVE-2023-6346: Use after free in WebAudio. Reported by Huang Xilin of Ant Group Light-Year Security Lab on 2023-11-09

• High CVE-2023-6350: Out of bounds memory access in libavif. Reported by Fudan University on 2023-11-13

• High CVE-2023-6351: Use after free in libavif. Reported by Fudan University on 2023-11-13

• High CVE-2023-6345: Integer overflow in Skia. Reported by Benoît Sevens and Clément Lecigne of Google's Threat Analysis Group on 2023-11-24

While all vulnerabilities are important to patch, it's the last one, CVE-2023-6345, this is the most concerning. Google confirmed it is aware an exploit for this vulnerability exists in the wild, which means bad actors either know how to use it against users, or they already have.

We don't know much about the issue, other than that it's an integer overflow flaw in Skia. Skia is an open source 2D graphics engine, while an integer overflow occurs when the result of an operation doesn't fit the respective amount of memory the system sets aside. While not all integer overflow flaws lead to vulnerabilities, this one does—which means bad actors may be able to use it to take over the system.

This update follows a Nov. 14 update that patched four security flaws, as well as a Nov. 7 update that patched one. The last update that patched a zero-day security flaw was issued Sept. 11.

How to update your browser

As this flaw affects the underlying code used in Chrome, all Chromium-based browsers should be updated to patch this issue. That means Chrome, of course, but also browsers like Edge, Opera, and Brave.

Your browser may be set to update automatically, but you can trigger an update manually if the update hasn't been installed yet. Usually, that's in the browser's settings. In Chrome, for example, you can click the three dots in the top-right corner of the window, head to Help > About Google Chrome, then allow the browser to look for an update. If one is available, follow the on-screen instructions to install the update.