Apply Urgent Update to Google Chrome
This message is intended for U-M IT staff who are responsible for university devices running the Google Chrome web browser. It will also be of interest to individuals who have Chrome installed on their own devices.
Summary
Google has released an important update to the Google Chrome web browser for a zero-day vulnerability that is being actively exploited in the wild. Update Chrome as soon as possible.
Problem
An exploit could potentially pose risks including crashes or execution of arbitrary code.
Threats
The vulnerability is being actively exploited in the wild. It allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a malicious file.
Affected Versions
- Google Chrome versions prior to 119.0.6045.199 for Mac and Linux.
- Google Chrome versions prior to 119.0.6045.199/.200 for Windows.
Action Items
Due to reports of active exploitation of this vulnerability, the need for immediate action supersedes the remediation timeframes in Vulnerability Management (DS-21).
Update Google Chrome to the latest version as soon as possible. MiWorkspace-managed machines are being updated. Users will need to restart Chrome (or their computer) for the update to apply.
Google has made the new version available for personal devices. Users need to relaunch Chrome or restart their computers after the update.
To begin using the new version:
- Find out your version: Go to the Chrome menu at the top right (three dots) and select Help > About Google Chrome.
- Update Chrome: From the About page, click Update Google Chrome (if necessary) and click Relaunch. The relaunch retains the browser content you have open. For more information, see Update Google Chrome.
Note: Because Skia is used by other web applications in addition to Google Chrome, users are also advised to watch for updates to other applications that may be impacted.
Technical Details
The vulnerability (CVE-2023-6345) is an integer overflow issue in Skia in Google Chrome. Skia serves as the graphics engine for Google Chrome and other web applications.
How We Protect U-M
ITS provides CrowdStrike Falcon to units, which should be installed on all U-M owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers). Falcon administrators in ITS and in U-M units use the Falcon console to investigate and remediate issues.
Information for Users
MiWorkspace machines will be patched as soon as possible.
It is best to set Chrome on your own devices (those not managed by the university) to update automatically. Be aware that automatic updates to Chrome normally happen in the background when you close and reopen Chrome. If you seldom close and reopen Chrome, check for pending updates to Chrome and update if necessary.
In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.
Questions, Concerns, Reports
Please contact ITS Information Assurance through the ITS Service Center.
References
- Zero-Day Alert: Google Chrome Under Active Attack, Exploiting New Vulnerability (The Hacker News)
- Stable Channel Update for Desktop (Google Chrome Releases)
- CVE-2023-6345 (CVE)
- Google Chrome Emergency Update Fixes 6th Zero-Day Exploited in 2023 (Bleeping Computer)