Google has released an important update to the Google Chrome web browser for a zero-day vulnerability that is being actively exploited in the wild. Update Chrome as soon as possible.
Tuesday, September 12, 2023
This message is intended for U-M IT staff who are responsible for university devices running the Google Chrome web browser. It will also be of interest to individuals who have Chrome installed on their own devices.
Although there is no confirmation as of yet, an exploit could potentially enable a zero-click attack when visiting a website containing a malicious image.
The vulnerability is being actively exploited in the wild.
- Google Chrome versions prior to 116.0.5845.188 for Windows
- Google Chrome versions prior to 116.0.5845.187 for Mac and Linux.
Due to reports of active exploitation of this vulnerability, the need for immediate action supersedes the remediation timeframes in Vulnerability Management (DS-21).
Update Google Chrome to the latest version as soon as possible. MiWorkspace-managed machines are being updated and Google is currently rolling out the new version to personal devices.
Users need to relaunch Chrome or restart their computers after the update to begin using the new version:
- Find out your version: Go to the Chrome menu at the top right (three dots) and select Help > About Google Chrome.
- Update Chrome: From the About page, click Update Google Chrome (if necessary) and click Relaunch. The relaunch retains the browser content you have open. For more information, see Update Google Chrome.
The vulnerability (CVE-2023-4863) is a heap buffer overflow issue in the WebP image format. According to Google, "Access to bug details and links may be kept restricted until a majority of users are updated with a fix."
How We Protect U-M
ITS provides CrowdStrike Falcon to units, which should be installed on all U-M owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers). Falcon administrators in ITS and in U-M units use the Falcon console to investigate and remediate issues. Additionally:
- ITS Information Assurance (IA) monitors a number of sources for information about new vulnerabilities and threats and provides up-to-date information to the university community.
- IA performs regular vulnerability scans of university networks to identify vulnerable devices and request remediation and provides vulnerability management guidance to the university.
Information for Users
In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.
Questions, Concerns, Reports
Please contact ITS Information Assurance through the ITS Service Center.
- Google fixes another Chrome zero-day bug exploited in attacks (Bleeping Computer, 9/11/23)
- New Emergency Chrome Security Update After Critical iOS 16.6.1 Release (Forbes, 9/12/23)
- Google releases emergency update to patch new Chrome vulnerability existing in the wild (Neowin, 9/12/23)
- Google Releases Emergency Security Updates to Address Fourth Chrome Zero-Day Vulnerability (Opp Today, 9/12/23)
- CVE-2023-4863 (National Vulnerability Database, 9/9/23)