Google has released a Chrome update which includes five security fixes. One of these security fixes is for a critical vulnerability in Autofill payments.
Google labels vulnerabilities as critical if they allow an attacker to run arbitrary code on the underlying platform with the user's privileges in the normal course of browsing.
How to protect yourself
If you’re a Chrome user on Windows, Mac, or Linux, you should update as soon as possible. 114.0.5735.130/.131 for Android will become available on Google Play over the next few days.
The easiest way to update Chrome is to allow it to update automatically, which basically uses the same method as outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong—such as an extension stopping you from updating the browser.
So, it doesn’t hurt to check now and then. And now would be a good time, given the severity of the vulnerabilities in this batch. My preferred method is to have Chrome open the page chrome://settings/help which you can also find by clicking Settings > About Chrome.
If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete.
Chrome needs a relaunch to apply the update
After the update, your version should be 114.0.5735.133 for Mac and Linux, and 114.0.5735.133/134 for Windows, or later.
The critical vulnerability
The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The critical CVE patched in these updates is listed as CVE-2023-3214: Use after free in Autofill payments in Google Chrome prior to 114.0.5735.133 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Google is always very careful about providing information about vulnerabilities, for obvious reasons. Access to bug details and links may be kept restricted until a majority of users are updated with a fix. However, from the vulnerability description we can learn a few things.
The Autofill payments function is to automatically enter payment details in online forms.
Use after free (UAF) is a type of vulnerability that is the result of the incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program.
Heap corruption occurs when a program modifies the contents of a memory location outside of the memory allocated to the program. The outcome can be relatively benign and cause a memory leak, or it may be fatal and cause a memory fault, usually in the program that causes the corruption.
A remote attack means that this vulnerability could potentially be exploited by tricking the user into visiting a specially crafted website.
Whether all this actually means that vulnerable Chrome versions will spill payments details on such a website remains to be seen, but it’s not the unlikeliest of scenarios.
We don’t just report on vulnerabilities—we identify them, and prioritize action.
Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.