Apply Emergency Update to Google Chrome Browser
This message was sent to U-M IT groups on Monday, 4/17/2023. It is intended for U-M IT staff who are responsible for university devices running the Google Chrome web browser. It will also be of interest to individuals who have Chrome installed on their own devices.
Summary
A zero-day vulnerability has been discovered in the Google Chrome browser that could allow for remote code execution. Depending on the privileges associated with a user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Problem
The vulnerability, tracked as CVE-2023-2033, can be exploited by creating a malicious web page that would run arbitrary code in the browser when visited by a user.
Threats
CVE-2023-2033 is being actively exploited in the wild.
Affected Versions
Google Chrome desktop versions prior to 112.0.5615.121 for Windows, Mac, and Linux.
Action Items
Due to reports of active exploitation of this vulnerability, the need for immediate action supersedes the remediation timeframes in Vulnerability Management (DS-21).
- Update Chrome for desktop versions prior to 112.0.5615.121 as soon as possible after appropriate testing.
- To find out what version of Chrome you are running, go to the Chrome menu at the top right (three dots) > Help > About Google Chrome.
- To update Chrome, click Update Google Chrome and click Relaunch. For more information, see Update Google Chrome.
At this time it is unknown if mobile versions are impacted, as full details about the vulnerability have not been released. ITS Information Assurance recommends applying all Chrome security updates as soon as possible, including on mobile devices.
Technical Details
The vulnerability is due to a high-severity type confusion weakness in the Chrome V8 JavaScript engine.
How We Protect U-M
ITS provides CrowdStrike Falcon to units, which should be installed on all U-M owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers). Falcon administrators in ITS and in U-M units use the Falcon console to investigate and remediate issues. Additionally:
- ITS Information Assurance (IA) monitors a number of sources for information about new vulnerabilities and threats and provides up-to-date information to the university community.
- IA performs regular vulnerability scans of university networks to identify vulnerable devices and request remediation and provides vulnerability management guidance to the university.
Information for Users
MiWorkspace-managed machines are being updated; users will need to relaunch Chrome after the update to begin using the new version. To relaunch Chrome, go to the Chrome menu at the top right (three dots) > Help > About Google Chrome > click Relaunch.
In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.
Questions, Concerns, Reports
Please contact ITS Information Assurance through the ITS Service Center.
References
- CVE-2023-2033 Detail (National Institute of Standards and Technology (NIST))
- Google Chrome emergency update fixes first zero-day of 2023 (Bleeping Computer, 4/14/23)
- Update now: Google emits emergency fix for zero-day Chrome vulnerability (The Register, 4/17/23)
- Google Chrome Releases (Stable Channel Update for Desktop, 4/14/23)
- Update Google Chrome (Google Help)