I was pleased to get through the end of the 2022 seasonal holidays without a zero-day exploit landing for Google Chrome if I’m being honest. Attackers do like to strike when security teams and consumers alike are kicking back, after all. In fact, the last security update for users of the Google Chrome desktop browser, Windows, Mac, and Linux versions, was back on December 13, 2022. That is the same day that Microsoft, Adobe, and others release their scheduled monthly security updates: Patch Tuesday. Fast forward to January 10, the first Patch Tuesday event of 2023, and Google has dropped security fixes for no less than 17 Chrome browser vulnerabilities.

In a posting to the Chrome releases blog, Google Chrome technical program manager, Prudhvikumar Bommana, confirmed the 17 vulnerabilities, ranging from low to high criticality. The update for desktop users of the Chrome browser has already started rolling out and will be available to all Windows, Mac, and Linux users across the coming days and weeks. The updated version number you need to be looking for to have protection from these 17 newly confirmed Chrome security vulnerabilities varies depending on which platform you are using. For Windows users it will be either 109.0.5414.74 or 109.0.5414.75, Mac users should look for 109.0.5414.87, and for Linux, it is 109.0.5414.74.

The good news, as previously mentioned, is that there were no zero-day vulnerabilities included in the January 10 release. There were, however, two high-rated vulnerabilities: CVE-2023-0128, which is a use-after-free issue in Chrome’s overview mode, and CVE-2023-0129, a heap buffer overflow vulnerability in the network service. Google awarded the security researchers disclosing these issues a total of $6,000 for their efforts.

A total of $21,000 in bounty rewards was shared between the researchers, who disclosed eight medium-rated vulnerabilities. Of these, the largest bounty was $5,000 awarded to a researcher called Hafiizh for CVE-2023-0130, an inappropriate implementation issue with the fullscreen API.

The remaining medium-severity security issues are:

This just leaves four low-severity vulnerabilities patched as part of this first security update of 2023 to Google Chrome: CVE-2023-0138 (heap buffer overflow in libphonenumber), CVE-2023-0139 (insufficient validation of untrusted input in downloads), CVE-2023-0140 (inappropriate implementation in the file system API) and CVE-2023-0141 (insufficient policy enforcement in CORS).

Google Chrome makes patching security issues in the browser simple, especially for Windows and Mac users, where the update is handled automatically. The most important aspect of this is that the update is only applied, so offering you protection from the latest security vulnerabilities when the browser is closed and reopened. This isn’t a problem for the majority of users who, I suspect, close the browser and shut down their computer on a daily basis. However, if you keep multiple tabs open and rarely restart the browser, then you need to ensure it has been closed and reopened as a matter of urgency.

Check your Google Chrome browser is the latest, secure, version

You can check to see if your computer is running the latest, up-to-date version of Chrome by selecting the ‘about’ option from the Chrome help menu. This will not only display the currently installed version but kickstart a download and installation if one is available.

