For more information regarding CVE-2023-2033, please see: A Vulnerability in Google Chrome Could Allow for Arbitrary Code Execution (cisecurity.org)
What is CVE-2023-2033?
CVE-2023- 2033 is a remote code execution vulnerability in Google Chrome that impacts versions prior to 112.0.5615.121. This can be triggered by visiting a malicious website.
ThreatLocker Recommendations
- Google has released an emergency, out-of-band update to address this actively exploited zero-day vulnerability. The most up-to-date patch should be applied as soon as possible. ThreatLocker recommends discontinuing the use of Chrome until admins can ensure that all users have Google Chrome version 112.0.5615.121 installed.
- For ThreatLocker customers that currently use ThreatLocker's default Google Chrome (Ringfenced) policy, we recommend updating to the newly updated Google Chrome (Ringfenced) policy. Instructions for updating existing policies are outlined below.
Changes to the ThreatLocker Suggested Google Chrome Policy
ThreatLocker's default policy for Google Chrome has always included Ringfencing to prevent Chrome from interacting with PowerShell, RegSRV32, CScript, Command Prompt, and the Forfiles utility. To the Suggested Chrome policy, ThreatLocker has added Ringfencing to prevent Chrome from accessing the Desktop, Documents, and external drives. By blocking Chrome's ability to read or write files saved in the Desktop and Documents directories, and on external storage locations, in the event Chrome was successfully compromised and used to install ransomware, it would be unable to encrypt the files located inside the blocked directories.
For organizations that have a current Chrome policy, the Suggested Policy will not be included in the Suggested Policy list. You can either edit your existing Chrome policy or apply the updated Suggested Policy.
Please Note: Ringfencing changes take effect on the start of the process, so any instances of Chrome that are running when the changes to the policy are made will need to be shut down and restarted before the Ringfencing changes will take effect.
How to Edit Your Existing Chrome Policy to Add the Updated ThreatLocker Suggestions
Navigate to Application Control > Policies.
In the 'Applies To' box, select the location of your exisiting Google Chrome policy. The default location will be in the 'Workstations' group.
In the 'Search' box, type Chrome and then click the 'Search' button.
Click the 'Edit' button next to the Google Chrome (Ringfenced) policy.
Inside the policy edit window, scroll down to the Ringfencing section. Click the 'Files' tab, and then select the checkbox next to 'Enable Advanced Ringfencing to protect access to files'.
By default, the Desktop, Documents and external storage locations will be protected.
Be sure to click the 'Save' button to save your policy changes.
Click the red 'Deploy Policies' button to push this change to your endpoints.
How to Apply the Suggested Policy to Organizations With an Existing Chrome Policy
To apply this updated Suggested Policy, you will first need to delete your existing policy and then re-add the new Suggested Policy.
Navigate to Application Control > Policies.
In the 'Applies To' box, select the location of your exisiting Google Chrome policy. The default location will be in the 'Workstations' group.
In the 'Search' box, type Chrome and then click the 'Search' button.
Select the checkbox next to the Google Chrome (Ringfenced) policy and then click the 'Delete' button.
Once your existing policy has been deleted, click the 'Add Suggested Policies' button.
From the 'ThreatLocker Recommended' policies list, select the checkbox next to Google Chrome (Ringfenced), then click the 'Add Suggested Policies' button.
Once added, this policy will be located above the Google Updater. You need to move it so that it is below the Google Updater policy.
Once again, in the 'Applies To' box, select the location of the newly added Google Chrome (Ringfenced) policy.
In the 'Search' box, type Chrome and then click the 'Search' button. In the 'Order' column, change the number beside the Google Chrome (Ringfenced) policy to be a higher number than the Chrome Updater (Built-In) and click the 'Save' button beside the number. In the screenshot below, the Google Chrome policy is -8 and the Updater policy is -7. To move the Google Chrome (Ringfenced) policy below the Chrome Updater (Built-In) policy, we will change the number of the Google Chrome (Ringfenced) policy to -6 before clicking the 'Save' button beside the Order number.
Once we click the 'Save' button, the Google Chrome (Ringfenced) policy is moved below the Chrome Updater (Built-In) policy.
Be sure to click the 'Deploy Policies' button to push this policy change to your endpoints.