Google patched a critical remote code execution bug in its Chrome web browser Wednesday that allows an attacker to install malware on a victim’s system simply by tricking them to visit a malicious site. As part of its February security update for its Chrome browser, Google also patched six high-severity bugs, one of them close to a year old.
The fixes will be pushed to Windows, macOS and Linux desktops that make up the nearly 2.65 billion users of the Chrome. The “stable channel desktop updates” include versions 110.0.5481.177 for Mac and Linux and 110.0.5481.177/.178 for Windows. Updates will roll out over the coming days and weeks, according to Daniel Yip, technical program manager, Google.
Users may also opt to manually update their browser to protect them against potential exploits targeting these vulnerabilities.
Google zaps critical bug
A top priority for Google was to fix a use after free vulnerability that impacts the Google Chrome component identified as Prompts.
“Google Chrome could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free in Prompts. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service on the system,” according to IBM X-Force Exchange, a cloud-based threat intelligence platform.
Based on Google’s own description of Prompts, it is a feature that defines how an Action renders responses to users and how Action prompts them to continue. Developers can select a wide range of engaging response types to present to users, including simple, visual and media (voice) responses.
As with this bug and others, “access to bug details and links may be kept restricted until a majority of users are updated with a fix," Yip wrote.
A year-old RCE bug
The company also patched an 11-month-old Google Chrome SwiftShader high-severity use-after-free flaw (CVE-2023-0928) reported by an unidentified bounty hunter on Mar. 22, 2022, according to Google.
“By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service on the system,” according to a description of the flaw.
SwiftShader is Chrome’s software-based renderer for 3D graphics that can be used as a fallback option when hardware acceleration is not available or when it is disabled, according to Google. It is primary used in web browsers such as Google Chrome is to render WebGL content, which is a web standard for rendering 3D graphics.
Bug roundup
The other four high-severity vulnerabilities include one (CVE-2023-0929) impacting the Chrome video acceleration component Vulkan; two video buffer overflow bug (CVE-2023-0930 and CVE-2023-0931); and a WebRTC (CVE-2023-0932) flaw.
The update includes ten security fixes with Google publicly paying bug bounty researchers over a total of $78,000. The largest bug bounty payout of $31,000 went to researcher Rong Jian, of VRI, for a Google Chrome Web Payment APIs bug (CVE-2023-0927).
Of note, three bugs were reported by security researcher Cassidy Kim, who earned a total of $23,000 from Google.
Google did not mention known exploits in the wild in its' blog post.