ALERT: Apply Urgent Update to Google Chrome and Mozilla Firefox Browsers, and other software (CVE-2023-5217)

Google has released an important update to the Google Chrome web browser for a zero-day vulnerability (CVE-2023-5217) that is being actively exploited in the wild. Mozilla Firefox has also released an important update related to this vulnerability. We expect additional software vendors will  also be releasing updates to fix other applications affected by the vulnerability.

Update Chrome and Firefox browsers, and other impacted software, as soon as possible.

Although there is no confirmation as of yet, an exploit could potentially enable a zero-click attack when visiting a website containing a malicious image.

The vulnerability is being actively exploited in the wild.

Due to reports of active exploitation of this vulnerability, the need for immediate action supersedes the remediation timeframes in Vulnerability Management (DS-21).

Update Google Chrome and Mozilla Firefox to the latest version as soon as possible. Update any other software impacted by the (CVE-2023-5217) vulnerability. MiWorkspace-managed machines are being updated. Google and Mozilla are currently rolling out new versions to personal devices. 

Users need to relaunch the program or restart their computers after the update to begin using the new version.

Update Chrome:

1. Find out your version: Go to the Chrome menu at the top right (three dots) and select Help > About Google Chrome. 

2. Update Chrome: From the About page, click Update Google Chrome (if necessary) and click Relaunch. The relaunch retains the browser content you have open. For more information, see Update Google Chrome.

Update Firefox:

1. Find out your version: Go to Firefox in the menu bar at the top of your screen and select About Firefox.

2. The About window will open and alert you to the update(s) available. Click to install the update, and relaunch when prompted.

3. Repeat this process to be sure that you have installed the necessary version. In some cases, you may need to install more than update to reach the desired version.

Update other impacted software:

Follow similar steps to those above in order to update other impacted software. Consult software vendor help sites for detailed instructions about updating.

The vulnerability (CVE-2023-5217) is a heap buffer overflow issue in vp8 encoding in libvpx. According to Google, "Access to bug details and links may be kept restricted until a majority of users are updated with a fix.” The vulnerability affects Google Chrome, Mozilla Firefox, and a number of popular programs.

ITS provides CrowdStrike Falcon to units, which should be installed on all U-M owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers). Falcon administrators in ITS and in U-M units use the Falcon console to investigate and remediate issues. Additionally:

• ITS Information Assurance (IA) monitors a number of sources for information about new vulnerabilities and threats and provides up-to-date information to the university community.
• IA performs regular vulnerability scans of university networks to identify vulnerable devices and request remediation and provides vulnerability management guidance to the university.

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.Please contact ITS Information Assurance through the ITS Service Center.

Please contact ITS Information Assurance through the ITS Service Center.

• CVE-2023-5217 (National Vulnerability Database, 9/27/23)

• A new Chrome 0-day is sending the Internet into a new chapter of Groundhog Day (arstechnica.com, 9/28/23)

• Stable Channel Update for Desktop (Chrome Releases, 9/27/23)

• Security Vulnerability fixed in Firefox 118.0.1, Firefox ESR 115.3.1, Firefox for Android 118.1.0, and Firefox Focus for Android 118.1.0. — Mozilla (Mozilla, 9/28/23)