If you are using Google Chrome as your web browser, you may be at risk of a serious security threat. A zero-day vulnerability, identified as CVE-2023-2136, has been discovered and exploited by malicious actors in the wild. This vulnerability allows an attacker to execute arbitrary code on your device by tricking you into visiting a specially crafted website.
What is CVE-2023-2136 and why is it dangerous?
CVE-2023-2136 allows a remote attacker to execute arbitrary code on the target system. The vulnerability exists due to integer overflow in Skia component in Google Chrome. A remote attacker can trick the victim to open a specially crafted web page, trigger an integer overflow and execute arbitrary code on the target system. Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
According to Google, this vulnerability has been actively exploited in the wild by unknown threat actors. This means that there are already websites that contain the exploit code and are targeting unsuspecting users. Google has not disclosed any details about the nature or scope of these attacks, but they have classified this vulnerability as critical, which is the highest severity level.
The vulnerability affects Google Chrome versions 112.0.5615.137 and earlier on Windows, Mac, and Linux platforms. It also affects other browsers that use the Chromium engine, such as Microsoft Edge, Opera, Brave, and Vivaldi.
How to protect yourself from CVE-2023-2136?
The good news is that Google has already released a patch for this vulnerability in the Stable and extended stable channel 112.0.5615.137/138 for Windows and 112.0.5615.137 for Mac and 112.0.5615.165 for Linux which will roll out over the coming days/weeks. If you have not updated your browser yet, you should do so as soon as possible to protect yourself from this threat.
To update your Chrome browser, follow these steps:
- Open Chrome and click on the three-dot menu icon at the top right corner of the screen.
- Select Help > About Google Chrome from the drop-down menu.
- Chrome will automatically check for updates and install them if available.
- Restart your browser to apply the changes.
You can also check your Chrome version by typing
chrome://version in the address bar and hitting Enter. If your version is 112.0.5615.137 or higher, you are safe from this vulnerability.
If you are using other browsers that are based on Chromium, such as Microsoft Edge, Opera, Brave, or Vivaldi, you should also check their respective websites for updates and patches for CVE-2023-2136.
The recent updates also address other CVEs that were being exploited in the wild:
- High CVE-2023-2133: Out of bounds memory access in Service Worker API.
- CVE-2023-2134: Out of bounds memory access in Service Worker API.
- CVE-2023-2135: Use after free in DevTools.
- CVE-2023-2137: Heap buffer overflow in sqlite.
The development marks the second Chrome zero-day vulnerability to be exploited by malicious actors this year and comes merely days after Google patched CVE-2023-2033 last week. It’s not immediately clear if the two zero-days have been chained together as part of in-the-wild attacks.
Alternatively, you can switch to another web browser that is not affected by this vulnerability, such as Mozilla Firefox, or Safari. However, you should still update your Chrome browser as soon as possible, as you may need to use it for some websites or applications.
What else should you do to stay safe online?
Updating your browser is not enough to ensure your online security. You should also follow these best practices to avoid falling victim to cyberattacks:
- Use a reputable antivirus software and keep it updated regularly.
- Avoid clicking on suspicious links or opening attachments from unknown sources.
- Use strong and unique passwords for your online accounts and change them periodically.
- Enable two-factor authentication (2FA) for your online accounts whenever possible.
- Use a VPN (virtual private network) when connecting to public Wi-Fi networks or accessing sensitive information online.
- Backup your important data regularly and store it in a secure location.
CVE-2023-2136 is a serious threat that can compromise your device and data if you are using a vulnerable version of Google Chrome. To protect yourself from this zero-day vulnerability, you should update your browser as soon as possible. You should also follow the general security tips mentioned above to stay safe online.