The Mac Security Blog

Software & Apps

Urgent patch: 7th Chrome zero-day of 2023 affects multiple browsers

Posted on by

On Tuesday, November 28, the Google Chrome browser was updated to version 119.0.6045.199 to address a zero-day vulnerability that has been actively exploited in the wild. This is the seventh such vulnerability this year.

Google says that it “is aware that an exploit for CVE-2023-6345 exists in the wild.” This means that users must install patches urgently. This particular vulnerability exists in Chromium’s Skia graphics library.

Whenever Chrome gets a security update, other browsers based on the Chromium open-source Web browser project generally require an update, too. Notable browsers built upon the Chromium codebase include Microsoft Edge, Brave, Vivaldi, Opera, and Opera GX.

Vivaldi also released an update on November 28. Microsoft Edge and Brave browsers received updates on Wednesday, November 29.

As usual, Opera took longer than other Chromium-based browsers to release a critical security update. Opera finally released a security update for its main desktop browser on Thursday, November 30.

However, Opera GX, which is billed as a “gaming browser,” apparently remained vulnerable as of when this article was first published. In fact, the latest Opera GX version is based on an old Chromium build from more than five weeks agoUpdate: The Opera Security Team wrote a blog post on December 1 claiming that Opera GX has been updated to address the vulnerability. However, an old Chromium build from October 24, version 118.0.5993.118, remains the basis for the latest Opera GX; this may mean that Opera has implemented its own custom patch.

How to update Chromium-based desktop browsers

Mac users can update their Chrome, Edge, Brave, or Opera browsers by clicking on the application menu (e.g. “Chrome” or “Microsoft Edge,” next to the Apple logo menu), and then clicking the first item in that menu (e.g. “About Google Chrome” or “About Microsoft Edge”). The browser will check for updates, and if an update is available, it will prompt you to restart the app to complete the update.

Vivaldi for macOS has a slightly different update procedure. After clicking on the Vivaldi menu (next to the Apple menu), click on “Check for Updates…” to ensure you have the latest version installed.

Windows users can update their browsers by following the steps provided by each browser maker: Chrome, Edge, Brave, Vivaldi, Opera.

How to update Chromium-based mobile browsers

Android users should check the Google Play Store app for the latest versions of their browsers and other apps.

Mobile browsers on iOS and iPadOS use Safari’s WebKit engine, rather than Chromium’s Blink and V8 engines. Therefore, this particular vulnerability does not affect the iOS or iPadOS versions of any Web browsers. If you would like to update your iPhone and iPad browsers anyway, you can do so via the App Store. (Here’s how to manually check for and install updates.)

Sometime in early 2024, in future updates to iOS 17 and iPadOS 17, third-party app stores may become a reality—at least in the EU, for compliance with the Digital Markets Act. Apple must comply with the DMA no later than March 2024. Third-party stores may eventually distribute alternative browser versions that use their own engines, rather than the WebKit-locked App Store versions.

Non-browser apps need updates, too

As we’ve noted in the past, many non-browser apps, including Electron apps, also rely on the Chromium browser codebase for rendering HTML content. These include the desktop versions of apps like 1Password, Discord, Dropbox, Figma, GitHub, Microsoft Teams, Signal, Skype, Slack, Trello, Twitch, WhatsApp, WordPress, and Zoom.

Notably, the Electron framework does not get updated in tandem with Chromium, so some Electron-based apps may remain vulnerable for months. For this and other reasons, it’s important to keep all your other apps updated as well.

To update Mac App Store apps, open the App Store, then click Updates, and click on Update All.

Other apps usually have their own separate in-app or separate update mechanisms. In some cases, you may need to update an app manually by downloading a new version from the developer’s site.

Chromium vulnerabilities threaten Electron app security

How can I learn more?

We mentioned this week’s Chrome update on episode 320 of the Intego Mac Podcast.

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Follow Intego on Twitter Follow Intego on Facebook Follow Intego on YouTube Follow Intego on Pinterest Follow Intego on LinkedIn Follow Intego on Instagram Follow the Intego Mac Podcast on Apple Podcasts

About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh has conducted cybersecurity research for more than 25 years, which has often been featured by major news outlets worldwide. Look for more of Josh's articles at security.thejoshmeister.com and follow him on X/Twitter, LinkedIn, and Mastodon. View all posts by Joshua Long →