The Information Highway

The Information Highway

Font size: +
2 minutes reading time (491 words)

Google fixes fifth actively exploited Chrome zero-day of 2023

Google has patched the fifth Chrome zero-day vulnerability exploited in attacks since the start of the year in emergency security updates released today. 

"Google is aware that an exploit for CVE-2023-5217 exists in the wild," the company revealed in a security advisory published on Wednesday.

The security vulnerability is addressed in Google Chrome 117.0.5938.132, rolling out worldwide to Windows, Mac, and Linux users in the Stable Desktop channel. 

While the advisory says it will likely take days or weeks until the patched version reaches the entire user base, the update was immediately available when checked for updates.

The web browser will also auto-check for new updates and automatically install them after the next launch.

Exploited in spyware attacks

The high-severity zero-day vulnerability (CVE-2023-5217) is caused by a heap buffer overflow weakness in the VP8 encoding of the open-source libvpx video codec library, a flaw whose impact ranges from app crashes to arbitrary code execution.

The bug was reported by Google Threat Analysis Group (TAG) security researcher Clément Lecigne on Monday, September 25.

Google TAG researchers are known for often finding and reporting zero-days abused in targeted spyware attacks by government-sponsored threat actors and hacking groups targeting high-risk individuals such as journalists and opposition politicians.

Today, Google TAG's Maddie Stone revealed that the CVE-2023-5217 zero-day vulnerability was exploited to install spyware. 

With Citizen Lab researchers, Google TAG also disclosed on Friday that three zero-days patched by Apple last Thursday were used to install Cytrox's Predator spyware between May and September 2023.

Even though Google said today that the CVE-2023-5217 zero-day had been exploited in attacks, the company has yet to share more information regarding these incidents.

"Access to bug details and links may be kept restricted until a majority of users are updated with a fix," Google said. "We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed."

As a direct result, Google Chrome users will have enough time to update their browsers as a preemptive measure against potential attacks.

This proactive approach can help mitigate the risk of threat actors creating their own exploits and deploying them in real-world scenarios, particularly as more technical details become available.

Google fixed another zero-day (tracked as CVE-2023-4863) exploited in the wild two weeks ago, the fourth one since the start of the year.

While first marking it as a Chrome flaw, the company later assigned another CVE (CVE-2023-5129) and a maximum 10/10 severity rating, tagging it as a critical security vulnerability in libwebp (a library used by a large number of projects, including Signal, 1Password, Mozilla Firefox, Microsoft Edge, Apple's Safari, and the native Android web browser). 

Cisco Catalyst SD-WAN Manager flaw allows remote s...
Microsoft now rolling out AI-powered Paint Cocreat...

Related Posts

 

Comments

No comments made yet. Be the first to submit a comment
Tuesday, 05 November 2024

Captcha Image

Top Breaches Of 2023

Customers Affected In T-Mobile Breach
Accounts Affected In MOVEit Breach
Customers Affected In MCNA Insurance Data Breach
Individuals Affected In PharMerica Data Breach
Users Affected In ChatGPT Major Data Breach
*Founder Shield End of Year 2023