Last week Google announced an urgent fix to Google Chrome to resolve an incorrect handling of Content Security Policies (CSPs). A CSP allows a website developer to control what kind of third party content may be displayed on their site. This prevents issues like code injection or cross-site scripting attacks from content they do not own but is referenced on their site. Incorrect handling of a CSP can expose site visitors to unintended and possibly malicious content.
This issue was reported by security researcher Michal Bentkowski to Google in May, but the Google security team announced it to the public and presented a critical patch last week. You can find the announcement here. This is no longer the most recent update to Google Chrome, but it is critical that all users update to at least version 67.0.3396.79, or version 67.0.3396.87 (the latest version as of this post).
Many enterprise environments and most personal devices allow Chrome to update automatically and only a restart of Chrome is required to complete the update. Firms that block Chrome updates or have non-persistent VDI should update immediately. Check your version by going to the Help menu and selecting “About Google Chrome.” Please contact us at firstname.lastname@example.org for more information on the vulnerability or for any assistance updating clients.