Critical Chrome Zero-Day Exploit Found, Update Your Browser ASAP

On Wednesday, Google released patches to address a recently discovered zero-day vulnerability in its Chrome browser. The vulnerability, known as CVE-2023-5217, is considered to have a high severity level. It involves a heap-based buffer overflow in the VP8 compression format within the libvpx video codec library, which is developed by Google and the Alliance for Open Media (AOMedia).

Exploiting buffer overflow vulnerabilities like this can lead to program crashes or the execution of arbitrary code, potentially impacting the availability and integrity of the affected system.

The flaw was discovered and reported by Clément Lecigne of Google’s Threat Analysis Group (TAG) on September 25, 2023. It has been used by a commercial spyware vendor to target individuals at high risk, according to researcher Maddie Stone.

.@_clem1 discovered another ITW 0-day in use by a commercial surveillance vendor: CVE-2023-5217. Thank you to Chrome for releasing a patch in TWO 🤯day!! https://t.co/QhzJonwLXi

— Maddie Stone (@maddiestone) September 27, 2023

Google has not provided any additional details about the vulnerability, except for acknowledging that an exploit for CVE-2023-5217 is being actively used in the wild.

This recent discovery marks the fifth zero-day vulnerability found in Google Chrome this year that has received patches. The other vulnerabilities are:

· CVE-2023-3079 (CVSS score: 8.8): This vulnerability involves type confusion in V8.

· CVE-2023-4863 (CVSS score: 8.8): This vulnerability is related to a heap buffer overflow in WebP.

· CVE-2023-2033 (CVSS score: 8.8): This vulnerability also pertains to type confusion in V8.

· CVE-2023-2136 (CVSS score: 9.6): This vulnerability involves an integer overflow in Skia.

In addition to addressing the Chrome vulnerability, Google has assigned a new CVE identifier, CVE-2023-5129, to a critical flaw in the libwebp image library. This flaw, originally tracked as CVE-2023-4863, is also being actively exploited and has a wide attack surface.

To mitigate potential threats, users are advised to upgrade to Chrome version 117.0.5938.132 on Windows, macOS, and Linux. Additionally, users of Chromium-based browsers like Microsoft Edge, Brave, Opera, and Vivaldi should apply the available fixes as soon as they are released.