What is the update schedule for Google Chrome as of August 2023?

As of August 2023, Google is releasing updates to Google Chrome on a weekly basis. This accelerated cadence aims to address the growing patch gap problem, which provides threat actors with extra time to exploit published vulnerabilities.

What does the latest Google Chrome security update address?

The latest security update for Google Chrome, version 116.0.5845.96, addresses a total of 21 vulnerabilities. Among these, eight were classified as high severity by Google. These vulnerabilities impact various components of Chrome such as Offline, V8 engine, Device Trust Connectors, Fullscreen, Network, ANGLE, and Skia.

Can you provide details about a significant vulnerability, CVE-2023-2312?

CVE-2023-2312 is a high severity vulnerability that affects the OfflinePageUtils component of Chrome. The vulnerability stems from the 'ScheduleDownload' function, which involves passing a callback containing a raw pointer to a WebContents object. The issue arises from the uncertainty about the validity of this pointer when the callback is executed. This uncertainty can lead to attempts to access or manipulate an invalid or non-existent WebContents object, resulting in a Use-After-Free vulnerability. The security researcher who discovered this vulnerability received a bounty of $30,000.

What are some other high severity vulnerabilities addressed by the update?

In addition to CVE-2023-2312, the update addresses several other high severity vulnerabilities, including Use-After-Free vulnerabilities in Device Trust Connectors, Network, and Audio, as well as issues like Type Confusion in V8, Heap Buffer Overflow in ANGLE and Skia, and more.

Advisory

Google releases Chrome 116 Update, fixes eight High Severity Vulnerabilities

published: Aug. 16, 2023

Take action: It's now easier than ever to keep your Google Chrome and Chromium based browsers (Opera, Edge, Brave) up-to date and secure. All you have to do is restart it weekly. Yes, Google Chrome has a function in History to Reopen all Last Closed Tabs, so you don't lose anything!

Learn More

As of August 2023 Google is releasing updates to Google Chrome in a weekly cadence, to address the growing patch gap problem that allows threat actors extra time to exploit published vulnerabilities.

The latest security update for Google Chrome has been released, addressing a total of 21 vulnerabilities. Among these, eight were deemed high severity by Google. Notably, one of these vulnerabilities, identified as CVE-2023-2312, was so significant that the security researcher who discovered it received a substantial bounty of $30,000.

CVE-2023-2312 affects the OfflinePageUtils component of Chrome. The issue originates from the 'ScheduleDownload' function, which involves passing a callback that contains a raw pointer to a WebContents object. The vulnerability arises from the absence of certainty about the validity of this pointer when the callback is executed. This uncertainty can lead to attempts to access or manipulate an invalid or non-existent WebContents object, resulting in a Use-After-Free vulnerability.

The rest of the high severity vulnerabilities affect different Chrome components like Offline, V8 engine, Device Trust Connectors, Fullscreen, Network, ANGLE, and Skia.

Here is the complete list of CVEs addressed by the Google Chrome 116.0.5845.96 security update:

High CVE-2023-2312: Use after free in Offline.
High CVE-2023-4349: Use after free in Device Trust Connectors.
High CVE-2023-4350: Inappropriate implementation in Fullscreen.
High CVE-2023-4351: Use after free in Network.
High CVE-2023-4352: Type Confusion in V8.
High CVE-2023-4353: Heap buffer overflow in ANGLE.
High CVE-2023-4354: Heap buffer overflow in Skia.
High CVE-2023-4355: Out-of-bounds memory access in V8.
Medium CVE-2023-4356: Use after free in Audio.
Medium CVE-2023-4357: Insufficient validation of untrusted input in XML.
Medium CVE-2023-4358: Use after free in DNS.
Medium CVE-2023-4359: Inappropriate implementation in App Launcher.
Medium CVE-2023-4360: Inappropriate implementation in Color.
Medium CVE-2023-4361: Inappropriate implementation in Autofill.
Medium CVE-2023-4362: Heap buffer overflow in Mojom IDL.
Medium CVE-2023-4363: Inappropriate implementation in WebShare.
Medium CVE-2023-4364: Inappropriate implementation in Permission Prompts.
Medium CVE-2023-4365: Inappropriate implementation in Fullscreen.
Medium CVE-2023-4366: Use after free in Extensions.
Medium CVE-2023-4367: Insufficient policy enforcement in Extensions API.
Medium CVE-2023-4368: Insufficient policy enforcement in Extensions API.

Google releases Chrome 116 Update, fixes eight High Severity Vulnerabilities

Read More
Critical macOS SMBClient flaws enable remote code execution
Windows AFD for WinSock vulnerability exploited by North …
Google releases update for Chrome and Chromium browsers …
U.S. House bans WhatsApp on their devices due …
Google releases one more urgent Chrome update