Google on Wednesday rolled out fixes to address a new actively exploited zero-day in the Chrome browser.
Tracked as CVE-2023-5217, the high-severity vulnerability has been described as a heap-based buffer overflow in the VP8 compression format in libvpx, a free software video codec library from Google and the Alliance for Open Media (AOMedia).
Exploitation of such buffer overflow flaws can result in program crashes or execution of arbitrary code, impacting its availability and integrity.
Clément Lecigne of Google's Threat Analysis Group (TAG) has been credited with discovering and reporting the flaw on September 25, 2023, with fellow researcher Maddie Stone noting on X (formerly Twitter) that it has been abused by a commercial spyware vendor to target high-risk individuals.
No additional details have been disclosed by the tech giant other than to acknowledge that it's "aware that an exploit for CVE-2023-5217 exists in the wild."
The latest discovery brings to five the number of zero-day vulnerabilities in Google Chrome for which patches have been released this year -
- CVE-2023-2033 (CVSS score: 8.8) - Type confusion in V8
- CVE-2023-2136 (CVSS score: 9.6) - Integer overflow in Skia
- CVE-2023-3079 (CVSS score: 8.8) - Type confusion in V8
- CVE-2023-4863 (CVSS score: 8.8) - Heap buffer overflow in WebP
It's also suspected that the Israeli spyware maker Cytrox may have exploited a recently patched Chrome vulnerability (CVE-2023-4762, CVSS score: 8.8) as a zero-day to deliver Predator, although very little information is currently available about the in-the-wild attacks.
The development comes as Google assigned a new CVE identifier, CVE-2023-5129, to the critical flaw in the libwebp image library – originally tracked as CVE-2023-4863 – that has come under active exploitation in the wild, considering its broad attack surface.
Users are recommended to upgrade to Chrome version 117.0.5938.132 for Windows, macOS, and Linux to mitigate potential threats. Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.
Mozilla on Thursday released Firefox updates to fix CVE-2023-5217, noting that "specific handling of an attacker-controlled VP8 media stream could lead to a heap buffer overflow in the content process." The issue has been resolved in versions Firefox 118.0.1, Firefox ESR 115.3.1, Firefox Focus for Android 118.1, and Firefox for Android 118.1.
Microsoft on October 2, 2023, said it released updates to remediate CVE-2023-4863 and CVE-2023-5217, acknowledging that exploits exist for both vulnerabilities. However, it did not disclose if its own products such as Edge, Skype, and Teams were impacted in the wild.