In a recent development, Google has swiftly rolled out critical fixes to address a newly discovered zero-day vulnerability in its popular Chrome browser. This security concern, tracked as CVE-2023-5217, is classified as high-severity and pertains to a heap-based buffer overflow within the VP8 compression format present in libvpx. Libvpx, for those unfamiliar, is a vital free software video codec library developed by Google in collaboration with the Alliance for Open Media (AOMedia).
Now, let’s delve into the specifics of this concerning issue. A heap-based buffer overflow may sound complex, but its implications are clear – it can lead to program crashes and, more dangerously, facilitate the execution of arbitrary code. Such security breaches can have severe consequences, affecting both the availability and integrity of the compromised system.
Clément Lecigne, a part of Google’s Threat Analysis Group (TAG), deserves credit for discovering and promptly reporting this vulnerability on September 25, 2023. Notably, fellow researcher Maddie Stone shared on X (formerly Twitter) that this flaw had already been exploited by a commercial spyware vendor to target high-risk individuals.
As of now, Google has not provided extensive details about this vulnerability, except to acknowledge that they are fully aware of its active exploitation in the wild.
This latest discovery marks the fifth zero-day vulnerability addressed by Google Chrome this year. To put it into context, let’s briefly list the previous four:
- CVE-2023-2033 (CVSS score: 8.8) – Type confusion in V8
- CVE-2023-2136 (CVSS score: 9.6) – Integer overflow in Skia
- CVE-2023-3079 (CVSS score: 8.8) – Type confusion in V8
- CVE-2023-4863 (CVSS score: 8.8) – Heap buffer overflow in WebP
Interestingly, there are suspicions that the Israeli spyware maker Cytrox may have exploited a recently patched Chrome vulnerability (CVE-2023-4762, CVSS score: 8.8) as a zero-day to deliver a malware strain called Predator. However, information about these in-the-wild attacks is scarce at the moment.
In a parallel development, Google has assigned a new CVE identifier, CVE-2023-5129, to a critical flaw discovered in the libwebp image library, originally tracked as CVE-2023-4863. This vulnerability is also being actively exploited in the wild due to its broad attack surface.
To safeguard your system, it’s highly recommended that you update your Chrome browser to version 117.0.5938.132, available for Windows, macOS, and Linux. Furthermore, users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi should remain vigilant and apply any available fixes promptly.
Mozilla, too, has acted swiftly in response to this security concern. On Thursday, they released Firefox updates to address CVE-2023-5217. According to Mozilla, this vulnerability was related to “specific handling of an attacker-controlled VP8 media stream” and could lead to a heap buffer overflow in the content process. The issue has been resolved in versions Firefox 118.0.1, Firefox ESR 115.3.1, Firefox Focus for Android 118.1, and Firefox for Android 118.1.
Staying informed about such security vulnerabilities and promptly updating your browsers is essential in today’s digital landscape to protect your data and online activities from potential threats.
Leave a Reply