Google has released an urgent security update to address the fifth Chrome zero-day vulnerability identified this year, following its exploitation in cyber attacks.
In a security notice shared on Wednesday, Google stated, “We are aware of the active exploitation of CVE-2023-5217.” This vulnerability has been rectified in the Google Chrome version 117.0.5938.132, which is currently being deployed globally for Windows, Mac, and Linux users through the Stable Desktop channel.
Though the update might take some days or weeks to be accessible to every user, it was immediately available upon checking. Chrome will also automatically search for and install the latest updates upon the next startup.
This critical zero-day vulnerability, tagged as CVE-2023-5217, stems from a heap buffer overflow issue in the VP8 encoding within the open-source libvpx video codec library. The effects of this flaw can range from simple application crashes to uncontrolled code execution.
The vulnerability was brought to light by Clément Lecigne, a security expert from Google’s Threat Analysis Group (TAG), on September 25th. Google’s TAG team frequently detects and reports zero-days exploited in specific malware attacks orchestrated by state-backed cyber adversaries and hacking groups, often targeting high-profile individuals like journalists and opposition leaders.
Today, another TAG researcher, Maddie Stone, confirmed the exploitation of the CVE-2023-5217 vulnerability to distribute spyware.
Furthermore, in collaboration with Citizen Lab researchers, Google TAG unveiled last Friday that three of Apple’s recently patched zero-days were exploited to disseminate Cytrox’s Predator spyware from May to September 2023.
While Google confirmed the active exploitation of CVE-2023-5217, detailed information about these attacks remains undisclosed. The company commented, “We might limit access to specific bug details and related links until most users have received the necessary fixes.” If the flaw persists in a third-party library on which other projects depend and hasn’t been rectified, such limitations will continue.
This strategy ensures that Google Chrome users get ample time to update their browsers, thus reducing the chances of cybercriminals creating and deploying their exploits, especially when more technical insights emerge.
Two weeks prior, Google addressed another zero-day vulnerability, identified as CVE-2023-4863, the fourth for this year. Initially tagged as a Chrome defect, it was later recategorized with a different CVE (CVE-2023-5129) and given the highest severity score of 10/10, indicating it as a vital security flaw in the libwebp library. This library is employed by numerous applications, including Signal, 1Password, Mozilla Firefox, Microsoft Edge, Apple’s Safari, and the default Android web browser