Hey Chrome, are you feeling okay? Because this is the second time in just five days that you’ve been patched for a zero-day vulnerability. Last Friday Google released a patch that fixed an issue in the browser’s JavaScript engine, but today’s bug is in the Skia graphics library. Chrome users on Windows and Mac can download and apply the update right now, while Linux and other platforms should see the update in the next few days.
Resist the urge to push that update back, because this isn’t something that you should ignore. Like last week’s bug, it’s being actively exploited “in the wild,” according to Google’s post on the Chrome Releases page. (via Bleeping Computer). Unlike the other security bugs fixed in this update, which were reported by members of the Vulnerability Research Institute and paid out in $20,000 of total bug bounties, the critical flaw was discovered by Clément Lecigne of Google’s Threat Analysis Group.
It’s been exactly one week since the CVE-2023-2136 bug was identified, which is a pretty good turnaround for a company that’s larger in dollar terms than several countries. Details on exactly how the bug is being exploited aren’t available — presumably Google doesn’t want anyone else joining in on whatever they’ve seen happening in the wild.