If you’re a fan of Google Chrome or Microsoft Edge, you’re probably already up to date with the latest updates. But it’s always important to double-check, as recently two zero-day remote code execution (RCE) bugs have been patched in the Chromium browser core, on which both Edge and Chrome are based. Although the details of these bugs are being kept quiet, it is important to understand the risks of remote code execution and to update your browser to the latest version.
Remote code execution (RCE) is a term used to describe the act of a person outside of your network, household, or company being able to tell your device to “Run this program of my choosing, in the way I tell you to, without giving anything away to any users who are currently logged in”. Generally, when you’re browsing and a remote website tries to foist potentially risky content on you, you will at least receive some sort of warning. However, if a browser RCE bug is present, the attacker can trick your browser into running rogue program code without even the slightest warning.
Common ways that this security hole can be triggered include booby-trapped HTML content, deliberately malconstructed JavaScript code, and malformed images or other multimedia files that the browser chokes on while trying to prepare the content for display. This could lead to a buffer overflow, which a well-prepared attacker could exploit for harm.
The two zero-day Chrome bugs patched recently are CVE-2023-2033 and CVE-2023-2136. CVE-2023-2033 is a type confusion in V8 in Google Chrome prior to 112.0.5615.121 and CVE-2023-2136 is an integer overflow in Skia in Google Chrome prior to 112.0.5615.137. V8 is the name of the JavaScript engine and Skia is a graphics library created by Google. These zero-days are particularly dangerous, as they can provide attackers with a security loophole through which they can remotely access your device.
To avoid these risks and make sure you’re up-to-date with the latest version, it is important to check for missed updates. The official laptop versions of Chrome seem to be 112.0.5615.137 or 112.0.5615.138 for Windows, 112.0.5615.137 for Mac, and 112.0.5615.165 for Linux. Anything at or later than these numbers will include patches for the two zero-days. Edge on your laptop should be 112.0.1722.58 or later. Chrome and Edge on Android currently seem to be 112.0.5615.136 and 111.0.1661.59 respectively, so it is important to keep an eye out for updates here. Chrome and Edge on iOS are currently 112.0.5615.70 and 112.0.1722.49 respectively, and updates are expected soon.
Chrome on your laptop, iOS, and Android can be updated by visiting the URL chrome://settings/help, chrome://version, and chrome://version respectively. Edge on your laptop, iOS, and Android can be updated by visiting the URL edge://settings/help, edge://version, and edge://version respectively.
It is essential to make sure you’re up-to-date with the latest version of Chrome and Edge, as the risk of remote code execution can be very serious. By double-checking and updating your browser to the latest version, you can reduce the chances of a successful attack and protect yourself online.