I was pleased to get through the end of the 2022 seasonal holidays without a zero-day exploit landing for Google Chrome if I’m being honest. Attackers do like to strike when security teams and consumers alike are kicking back, after all. In fact, the last security update for users of the Google Chrome desktop browser, Windows, Mac, and Linux versions, was back on December 13, 2022. That is the same day that Microsoft, Adobe, and others release their scheduled monthly security updates: Patch Tuesday. Fast forward to January 10, the first Patch Tuesday event of 2023, and Google has dropped security fixes for no less than 17 Chrome browser vulnerabilities.
Multiple Chrome browser security issues confirmed to start 2023
In a posting to the Chrome releases blog, Google Chrome technical program manager, Prudhvikumar Bommana, confirmed the 17 vulnerabilities, ranging from low to high criticality. The update for desktop users of the Chrome browser has already started rolling out and will be available to all Windows, Mac, and Linux users across the coming days and weeks. The updated version number you need to be looking for to have protection from these 17 newly confirmed Chrome security vulnerabilities varies depending on which platform you are using. For Windows users it will be either 109.0.5414.74 or 109.0.5414.75, Mac users should look for 109.0.5414.87, and for Linux, it is 109.0.5414.74.
No new year zero-days for Google Chrome users
The good news, as previously mentioned, is that there were no zero-day vulnerabilities included in the January 10 release. There were, however, two high-rated vulnerabilities: CVE-2023-0128, which is a use-after-free issue in Chrome’s overview mode, and CVE-2023-0129, a heap buffer overflow vulnerability in the network service. Google awarded the security researchers disclosing these issues a total of $6,000 for their efforts.
Eight medium-severity Chrome security vulnerabilities
A total of $21,000 in bounty rewards was shared between the researchers, who disclosed eight medium-rated vulnerabilities. Of these, the largest bounty was $5,000 awarded to a researcher called Hafiizh for CVE-2023-0130, an inappropriate implementation issue with the fullscreen API.
The remaining medium-severity security issues are:
- CVE-2023-0131, which is another inappropriate implementation, this time in the iframe Sandbox.
- CVE-2023-0132, which, again, is an inappropriate implementation but in the permission prompts.
- CVE-2023-0133 is, yes, you guessed it, another inappropriate implementation, this one also in the permission prompts.
- CVE-2023-0134 mixes things up a little by being a user after free issue in Chrome’s cart.
- CVE-2023-0135 is another use after free vulnerability in cart.
- CVE-2023-0136 returns to the inappropriate implementation problem, once again, within the fullscreen API.
- CVE-2023-0137 wraps things up with a heap buffer overflow problem in platform apps.
Four low-severity Chrome security vulnerabilities
This just leaves four low-severity vulnerabilities patched as part of this first security update of 2023 to Google Chrome: CVE-2023-0138 (heap buffer overflow in libphonenumber), CVE-2023-0139 (insufficient validation of untrusted input in downloads), CVE-2023-0140 (inappropriate implementation in the file system API) and CVE-2023-0141 (insufficient policy enforcement in CORS).
All 17 vulnerability updates are dealt with by a single Chrome patch
Google Chrome makes patching security issues in the browser simple, especially for Windows and Mac users, where the update is handled automatically. The most important aspect of this is that the update is only applied, so offering you protection from the latest security vulnerabilities when the browser is closed and reopened. This isn’t a problem for the majority of users who, I suspect, close the browser and shut down their computer on a daily basis. However, if you keep multiple tabs open and rarely restart the browser, then you need to ensure it has been closed and reopened as a matter of urgency.
You can check to see if your computer is running the latest, up-to-date version of Chrome by selecting the ‘about’ option from the Chrome help menu. This will not only display the currently installed version but kickstart a download and installation if one is available.
Stay connected with us on social media platform for instant update click here to join our Twitter, & Facebook
We are now on Telegram. Click here to join our channel (@TechiUpdate) and stay updated with the latest Technology headlines.
For all the latest Technology News Click Here