Latest severe Chrome bug prompts CISA warning
A severe vulnerability that led Google to issue an emergency update of the Chrome browser has been exploited on the open internet, the Cybersecurity and Infrastructure Security Agency (CISA) confirmed Thursday.
The bug, which affects 2D graphics-rendering code known as Skia, has been added to the agency’s Known Exploited Vulnerabilities (KEV) catalog. Google released a security fix on Tuesday for the flow, tracked as CVE-2023-6345.
The company said at the time that it was “aware that an exploit for CVE-2023-6345 exists in the wild,” but did not offer more information. Inclusion on the KEV list indicates that CISA agreed with that assessment. Federal civilian agencies have until December 21 to address the bug on any affected systems.
The bug was originally reported on November 24 by researchers at Google’s own Threat Analysis Group, the company said. The Skia code library is “sponsored and managed” by Google, but it is an open source project available for other developers.
Chrome vulnerabilities occasionally rise to a level of severity that prompts Google to issue a patch as soon as one is ready, instead of waiting for the next regular update cycle. Earlier this fall, for example, the company released fixes specifically for a bug in an open source tool known as libvpx, used in video encoding.
Experts are urging organizations to ensure that users have the latest version not just of Chrome, but other browsers that are based on its core code, including Microsoft Edge.
“Despite all the care taken by Google engineers, we continue to see a steady stream of security issues that are exploitable,” including zero-days that are actually used by malicious hackers, said Lionel Litty, chief security architect at Menlo Security.
As software like Chrome only becomes more complex, the opportunity for bugs to arise also expands, experts say.
Chrome’s wide use also makes it attractive to “sophisticated attackers, including those backed by state sponsors,” noted Saeed Abbasi, manager of vulnerability and threat research at Qualys.
CISA also added a recently reported bug in the open source ownCloud software to the KEV list.
Jonathan Greig contributed to this story.
Joe Warminsky
is the news editor for Recorded Future News. He has more than 25 years experience as an editor and writer in the Washington, D.C., area. Most recently he helped lead CyberScoop for more than five years. Prior to that, he was a digital editor at WAMU 88.5, the NPR affiliate in Washington, and he spent more than a decade editing coverage of Congress for CQ Roll Call.