It seems like at least once a month we get a security bulletin that 1) Chrome has some dire security flaw, 2) Google has patched said flaw, and 3) You should update Chrome immediately or every black hat hacker in the world will know that you watched twelve hours of Futurama reruns this week. So, here we are again. There’s a zero-day exploit for both Chrome and Chromium. It’s being exploited in the wild, so you should update your browser to fix the issue.
As Bleeping Computer notes, this is the sixth time this year that a zero day exploit has been discovered and patched by Google. (So, once every two months — I apologize for the hyperbole.) This one is an integer overflow bug in the Skia 2D graphics library, a common type of exploit that occurs when a program doesn’t account for larger values than should normally be possible. It’s structurally similar to the classic Y2K bug, but more complicated because we’re dealing with bit values instead of dates.
In fairness to Google, this bug was discovered on November 24th and patched just four days later. In slightly more alarming news, Google’s security bulletin says that an exploit for the bug “exists in the wild,” so someone was already using it to compromise systems. Since the bug is actually in the core Chromium system, similar Chromium-based browsers (like Edge, Opera, Vivaldi, and Brave) will also need to be update to patch this vulnerability.