Google on Monday rolled out out-of-band security patches to address a critical security flaw in its Chrome web browser that it said has been exploited in the wild.
Tracked as CVE-2023-4863, the issue has been described as a case of heap buffer overflow that resides in the WebP image format that could result in arbitrary code execution or a crash.
Apple Security Engineering and Architecture (SEAR) and the Citizen Lab at the University of Toronto's Munk School have been credited with discovering and reporting the flaw on September 6, 2023.
The tech giant has yet to disclose additional details about the nature of the attacks, but noted that it's "aware that an exploit for CVE-2023-4863 exists in the wild."
With the latest fix, Google has addressed a total of four zero-day vulnerabilities in Chrome since the start of the year -
- CVE-2023-2033 (CVSS score: 8.8) - Type Confusion in V8
- CVE-2023-2136 (CVSS score: 9.6) - Integer overflow in Skia
- CVE-2023-3079 (CVSS score: 8.8) - Type Confusion in V8
The development comes the same day Apple expanded fixes to remediate CVE-2023-41064 for the below devices and operating systems -
- iOS 15.7.9 and iPadOS 15.7.9 - iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)
- macOS Big Sur 11.7.10 and macOS Monterey 12.6.9
CVE-2023-41064 relates to a buffer overflow issue in the Image I/O component that could lead to arbitrary code execution when processing a maliciously crafted image.
According to the Citizen Lab, CVE-2023-41064 is said to have been used in conjunction with CVE-2023-41061, a validation issue in Wallet, as part of a zero-click iMessage exploit chain named BLASTPASS to deploy Pegasus on fully-patched iPhones running iOS 16.6.
The fact that both CVE-2023-41064 and CVE-2023-4863 hinge around image processing and that the latter has been reported by Apple and the Citizen Lab suggests there could be a potential connection between the two.
Users are recommended to upgrade to Chrome version 116.0.5845.187/.188 for Windows and 116.0.5845.187 for macOS and Linux to mitigate potential threats. Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.
