Google Chrome has a critical zero-day flaw — update right now

 and image of the Google Chrome logo on a laptop
and image of the Google Chrome logo on a laptop

Google has released emergency security updates to fix a new zero-day vulnerability in Chrome that is already being used by hackers in their attacks.

As reported by BleepingComputer, a new version of the search giant’s browser is currently rolling out to Chrome users in the Stable and Extended stable channels. According to Google, this new version of Chrome (version 116.0.5845.187/.188 for Windows and version 116.0.5845.187 for Mac and Linux) will arrive for all of the browser’s users in the coming days or weeks to patch this critical zero-day flaw.

While constant reminders to update your browser can be annoying, this is one you don’t want to ignore as hackers often target users that haven’t updated their software yet. For this reason, once the next version of Chrome becomes available, you’re going to want to install it as soon as possible to prevent falling victim to any potential attacks leveraging this flaw.

Actively exploited zero-day

A hacker typing quickly on a keyboard
A hacker typing quickly on a keyboard

In a recent security advisory, Google revealed that there is already an exploit available for this zero-day flaw (tracked as CVE-2023-4863).

The flaw itself is caused by a WebP heap buffer overflow weakness which can be exploited to crash Chrome or to execute arbitrary code within the browser. It was discovered and then reported to Google by Apple’s Security Engineering and Architecture (SEAR) team and by the Citizen Lab at the University of Toronto’s Munk School last week.

Although Google itself has said that this zero-day is being actively exploited in the wild, it has yet to reveal any more details in regard to these attacks. This is standard practice though, and Apple often operates in a similar fashion when it comes to vulnerabilities so that as many users as possible can update their software before attack details are released.

The reason for this is that once attack details are released, other cybercriminals may use this knowledge to develop their own attacks designed to target the remaining Chrome users who have yet to update their browser.

How to stay safe from attacks leveraging zero-days

Unlike with malicious apps or malware, zero-day vulnerabilities are a bit harder to defend against as you need to wait for a company to release a fix for them. This is why the most important thing you can do personally is to keep all of your software up to date by installing the latest security updates once they become available.

Google Chrome color-coded update button
Google Chrome color-coded update button

Google makes it quite easy to see when there’s a new update available for Chrome as a bubble will appear next to your profile picture in the top right corner of your browser. This bubble is also color-coded to let you know when the update was released with green representing a 2-day old update, orange for a 4-day old update and red when an update was released at least a week ago.

While clicking on the bubble will download the latest version of Chrome and it will be installed the next time you relaunch your browser, you can also manually update Google’s browser by clicking on the three dot menu next to your profile picture, clicking on Help and then About Google Chrome. This takes you to the browser’s settings page where you can check to see if you’re running the latest version of Chrome. If you need a bit more help, here’s everything you need to know on how to update Google Chrome.

In addition to keeping your browser up to date, you should also be using the best antivirus software on your PC, the best Mac antivirus software on your Apple computer and one of the best Android antivirus apps on your Android smartphone. By using antivirus software alongside installing the latest security updates, you can ensure you’re protected against all manner of cyberattacks.

There’s a chance we’ll find out more about the exploits created for this new Chrome zero-day once enough users have updated their browsers. To date, this is the fourth zero-day vulnerability that Google has patched in its browser so far this year.

More from Tom's Guide