ALERT: Update Google Chrome ASAP for Zero-Day Vulnerabilities

Thursday, January 18, 2024

This message is intended for U-M IT staff who are responsible for university devices running the Google Chrome web browser. It will also be of interest to individuals who have Chrome installed on their own devices.

Summary

Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Successful exploitation of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Problem

An exploit could potentially pose risks including crashes or execution of arbitrary code.

Threats

According to Google, exploits for these vulnerabilities exist in the wild.

Affected Versions

  • Google Chrome versions prior to 120.0.6099.234 for Mac 
  • Google Chrome versions prior to 120.0.6099.224 for Linux
  • Google Chrome versions prior to 120.0.6099.224/225 for Windows

Action Items

Due to reports of active exploitation of this vulnerability, the need for immediate action supersedes the remediation timeframes in Vulnerability Management (DS-21).

Chrome on MiWorkspace machines is set up to auto update, but all users should take action to apply the update as soon as possible. To begin using the new version:

  1. Find out your version: Go to the Chrome menu at the top right (three dots) and select Help > About Google Chrome.
  2. Update Chrome: From the About page, click Update Google Chrome (if necessary) and click Relaunch. The relaunch retains the browser content you have open. For more information, see Update Google Chrome.

Technical Details

Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Details of these vulnerabilities are as follows:

Successful exploitation of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

How We Protect U-M

ITS provides CrowdStrike Falcon to units, which should be installed on all U-M owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers). Falcon administrators in ITS and in U-M units use the Falcon console to investigate and remediate issues.

Information for Users

Chrome on MiWorkspace machines is set up to auto update. We advise users to also set their personal devices to auto update Chrome. Because automatic updates to Chrome normally happen in the background when you close and reopen Chrome, we recommend all users take the follow action as soon as possible on personal or MiWorkspace devices:

  1. Find out your version: Go to the Chrome menu at the top right (three dots) and select Help > About Google Chrome.
  2. Update Chrome: From the About page, click Update Google Chrome (if necessary) and click Relaunch. The relaunch retains the browser content you have open. For more information, see Update Google Chrome.

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Scams, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.

Questions, Concerns, Reports

Please contact ITS Information Assurance through the ITS Service Center.