ALERT: Apply Urgent Update to Google Chrome and Mozilla Firefox Browsers, and other software (CVE-2023-5217)


NOTE: EDEM is in the process of getting the updated version packaged and will be deploying it to all CoreImage devices in the coming days - there is no action CoreImage users need to take. Note that EDEM does not manage Firefox, so if users have it installed they should follow ITS instructions and update manually.

This message is intended for U-M IT staff who are responsible for university devices running the Google Chrome and Firefox web browsers. It will also be of interest to individuals who have Chrome or Firefox, and other impacted software impacted by the vulnerability, installed on their own devices.


Google has released an important update to the Google Chrome web browser for a zero-day vulnerability (CVE-2023-5217) that is being actively exploited in the wild. Mozilla Firefox has also released an important update related to this vulnerability. We expect additional software vendors will  also be releasing updates to fix other applications affected by the vulnerability.

Update Chrome and Firefox browsers, and other impacted software, as soon as possible.


Although there is no confirmation as of yet, an exploit could potentially enable a zero-click attack when visiting a website containing a malicious image.


The vulnerability is being actively exploited in the wild.

Affected Versions

Google Chrome versions prior to 117.0.5938.132 for Windows, Mac and Linux.

Mozilla Firefox versions prior to:

  • Firefox 118.0.1

  • Firefox ESR 115.3.1

  • Firefox Focus for Android 118.1

  • Firefox for Android 118.1

Versions of other software impacted by the (CVE-2023-5217) vulnerability.

Action Items

Due to reports of active exploitation of this vulnerability, the need for immediate action supersedes the remediation timeframes in Vulnerability Management (DS-21).

Update Google Chrome and Mozilla Firefox to the latest version as soon as possible. Update any other software impacted by the (CVE-2023-5217) vulnerability. MiWorkspace-managed machines are being updated. Google and Mozilla are currently rolling out new versions to personal devices. 

Users need to relaunch the program or restart their computers after the update to begin using the new version.

Update Chrome:

  1. Find out your version: Go to the Chrome menu at the top right (three dots) and select Help > About Google Chrome

  2. Update Chrome: From the About page, click Update Google Chrome (if necessary) and click Relaunch. The relaunch retains the browser content you have open. For more information, see Update Google Chrome.

Update Firefox:

  1. Find out your version: Go to Firefox in the menu bar at the top of your screen and select About Firefox.

  2. The About window will open and alert you to the update(s) available. Click to install the update, and relaunch when prompted.

  3. Repeat this process to be sure that you have installed the necessary version. In some cases, you may need to install more than update to reach the desired version.

Update other impacted software:

Follow similar steps to those above in order to update other impacted software. Consult software vendor help sites for detailed instructions about updating.

Technical Details

The vulnerability (CVE-2023-5217) is a heap buffer overflow issue in vp8 encoding in libvpx. According to Google, "Access to bug details and links may be kept restricted until a majority of users are updated with a fix.” The vulnerability affects Google Chrome, Mozilla Firefox, and a number of popular programs.

How We Protect U-M

ITS provides CrowdStrike Falcon to units, which should be installed on all U-M owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers). Falcon administrators in ITS and in U-M units use the Falcon console to investigate and remediate issues. Additionally:

  • ITS Information Assurance (IA) monitors a number of sources for information about new vulnerabilities and threats and provides up-to-date information to the university community.
  • IA performs regular vulnerability scans of university networks to identify vulnerable devices and request remediation and provides vulnerability management guidance to the university.

Information for Users

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious EmailSecure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.Please contact ITS Information Assurance through the ITS Service Center.

Questions, Concerns, Reports

Please contact ITS Information Assurance through the ITS Service Center.