Hot on the heels of the recent emergency Google Chrome security update addressing a zero-day exploit, already seen in the wild, comes another critical Chrome browser security update. This one lists four vulnerabilities as being included, one of which is a critical issue in the browser ‘autofill payments’ function which automatically enters payment details in online forms.
What is CVE-2023-3214?
Although CVE-2023-3214 doesn’t have quite the same feeling of urgency as CVE-2023-3079, as there are no known exploits in the wild at this point, that doesn’t mean it’s not to be taken just as seriously. The fact is that this new security issue is rated as critical and impacts the autofill payments function of the Google Chrome browser. Whenever you hear ‘critical’ and ‘payments’ uttered in the same breath, you know it’s serious.
What we don’t know right now is precisely what the vulnerability entails. This is not unusual as Google always withholds such technical information until such a time as the majority of users will have received the automated update rollout, and so have been given the chance to activate it.
What we do know is that it is a ‘use-after-free’ vulnerability. The Mitre definition of a use-after-free vulnerability is where memory is referenced after it has been freed, which causes the program to either crash, use unexpected values or execute code. You can read the full technical explanation here.
Four new security vulnerabilities are fixed in this Chrome update
CVE-2023-3214 isn’t the only vulnerability to be addressed in this Google Chrome security update, although it is the only one which earns a critical rating. There are three other vulnerabilities that are patched, all of them carrying a high criticality rating.
These are:
- CVE-2023-3215, which is a use after free vulnerability in the Chromium WebRTC, a real time communications system for audio, video and data.
- CVE-2023-3216 which is a type confusion vulnerability in the V8 JavaScript engine.
- CVE-2023-3217 which is another use after free vulnerability, this time in the Chrome browser WebXR, an augmented reality and virtual reality application programming interface.
How to make sure your browser is protected
Head for the Help|About option in your Google Chrome menu, and if the update is available, it will automatically start downloading. It may take a few days for the update to reach everyone, so be patient if you are not seeing it yet. Also, remember what I wrote earlier, and restart your browser after the update has been installed, or it will not activate, and you will still be vulnerable to attack. The June 13 confirmation from Google gives the updated browser version numbers as 114.0.5735.133 for Mac and Linux and 114.0.5735.133/134 for Windows.
Other browsers that use the Chromium engine will also be getting updates. These may already have landed or will be forthcoming in the next few days. Check your Brave, Edge, Opera or Vivaldi browsers to ensure the update is installed and activated.