I used to be happy to get by way of the top of the 2022 seasonal holidays with no zero-day exploit touchdown for Google Chrome if I am being sincere. Attackers do wish to strike when safety groups and customers alike are kicking again, in spite of everything. In truth, the final safety replace for customers of the Google Chrome desktop browser, Windows, Mac, and Linux variations, was back on December 13, 2022. That’s the identical day that Microsoft, Adobe, and others launch their scheduled month-to-month safety updates: Patch Tuesday. Quick ahead to January 10, the primary Patch Tuesday occasion of 2023, and Google has dropped safety fixes for at least 17 Chrome browser vulnerabilities.
A number of Chrome browser safety points confirmed to begin 2023
In a posting to the Chrome releases weblog, Google Chrome technical program supervisor, Prudhvikumar Bommana, confirmed the 17 vulnerabilities, starting from low to excessive criticality. The replace for desktop customers of the Chrome browser has already began rolling out and might be obtainable to all Windows, Mac, and Linux customers throughout the approaching days and weeks. The up to date model quantity you want to be on the lookout for to have safety from these 17 newly confirmed Chrome safety vulnerabilities varies relying on which platform you’re utilizing. For Windows customers it will likely be both 109.0.5414.74 or 109.0.5414.75, Mac customers ought to search for 109.0.5414.87, and for Linux, it’s 109.0.5414.74.
No new 12 months zero-days for Google Chrome customers
The excellent news, as beforehand talked about, is that there have been no zero-day vulnerabilities included within the January 10 launch. There have been, nonetheless, two high-rated vulnerabilities: CVE-2023-0128, which is a use-after-free concern in Chrome’s overview mode, and CVE-2023-0129, a heap buffer overflow vulnerability within the community service. Google awarded the safety researchers disclosing these points a complete of $6,000 for his or her efforts.
Eight medium-severity Chrome safety vulnerabilities
A complete of $21,000 in bounty rewards was shared between the researchers, who disclosed eight medium-rated vulnerabilities. Of those, the most important bounty was $5,000 awarded to a researcher known as Hafiizh for CVE-2023-0130, an inappropriate implementation concern with the fullscreen API.
The remaining medium-severity safety points are:
- CVE-2023-0131, which is one other inappropriate implementation, this time within the iframe Sandbox.
- CVE-2023-0132, which, once more, is an inappropriate implementation however within the permission prompts.
- CVE-2023-0133 is, sure, you guessed it, one other inappropriate implementation, this one additionally within the permission prompts.
- CVE-2023-0134 mixes issues up just a little by being a consumer after free concern in Chrome’s cart.
- CVE-2023-0135 is one other use after free vulnerability in cart.
- CVE-2023-0136 returns to the inappropriate implementation drawback, as soon as once more, throughout the fullscreen API.
- CVE-2023-0137 wraps issues up with a heap buffer overflow drawback in platform apps.
4 low-severity Chrome safety vulnerabilities
This simply leaves 4 low-severity vulnerabilities patched as a part of this primary safety replace of 2023 to Google Chrome: CVE-2023-0138 (heap buffer overflow in libphonenumber), CVE-2023-0139 (inadequate validation of untrusted enter in downloads), CVE-2023-0140 (inappropriate implementation within the file system API) and CVE-2023-0141 (inadequate coverage enforcement in CORS).
All 17 vulnerability updates are handled by a single Chrome patch
Google Chrome makes patching safety points within the browser easy, particularly for Windows and Mac customers, the place the replace is dealt with mechanically. Crucial facet of that is that the replace is just utilized, so providing you safety from the most recent safety vulnerabilities when the browser is closed and reopened. This is not an issue for almost all of customers who, I think, shut the browser and shut down their laptop every day. Nevertheless, should you hold a number of tabs open and infrequently restart the browser, then you want to guarantee it has been closed and reopened as a matter of urgency.
You may examine to see in case your laptop is operating the most recent, up-to-date model of Chrome by choosing the ‘about’ choice from the Chrome assist menu. This is not going to solely show the at the moment put in model however kickstart a obtain and set up if one is obtainable.