Google patches another zero-day vulnerability in Chrome

The fifth exploited vulnerability in Google Chrome this year

Google has promptly acted upon and patched^[1] another zero-day vulnerability, making it the fifth one to be addressed in 2023. Identified as CVE-2023-5217,^[2] this substantial security flaw is a heap-based buffer overflow occurring within the VP8 compression format in libvpx.

This critical element is part of a video codec library developed collaboratively by Google and the Alliance for Open Media (AOMedia). The failure mechanism associated with such vulnerabilities encompasses program crashes and potential execution of unspecified code, thereby adversely influencing the software’s availability and integrity.

The vulnerability was discerned and reported on September 25, 2023, by Clément Lecigne, a member of Google’s Threat Analysis Group (TAG). It’s worth noting that this disclosure marks the fifth incident where Google has had to release patches for zero-day vulnerabilities in its Chrome browser within this year alone.

Google's immediate response

The immediate response from Google is encapsulated in the release of a patch designed to amend the security flaw in the Chrome browser, effectively countering the risks posed by the vulnerability. Users operating on different platforms -Windows, macOS, and Linux – are advised to promptly upgrade to Chrome version 117.0.5938.132.

This recommendation is also extended to individuals using Chromium-based browsers, including Microsoft Edge, Brave, Opera, and Vivaldi, as they should apply the necessary patches once they become accessible.

The release and propagation of the patch underscore Google’s commitment to mitigating potential threats and safeguarding users from the exploitation of this vulnerability. However, it is anticipated that it might take some time – ranging from days to weeks – for the updated version to be distributed and adopted widely among the global user base.

Google has already patched the following vulnerabilities this year:^[3]

• CVE-2023-2033 (CVSS score: 8.8) – Type confusion in V8.
• CVE-2023-2136 (CVSS score: 9.6) – Integer overflow in Skia.
• CVE-2023-3079 (CVSS score: 8.8) – Type confusion in V8.
• CVE-2023-4863 (CVSS score: 8.8) – Heap buffer overflow in WebP.

Used for spyware attacks

Google’s Threat Analysis Group (TAG) is integral in identifying zero-days often exploited in specific spyware attacks. These are usually orchestrated by entities with government backing, targeting high-risk individuals, including opposition politicians and journalists. Recently, Maddie Stone from TAG unveiled the exploitation of CVE-2023-5217 for spyware installation purposes. She wrote on Twitter:^[4]

@_clem1
discovered another ITW 0-day in use by a commercial surveillance vendor: CVE-2023-5217. Thank you to Chrome for releasing a patch in TWO day

Additionally, in collaboration with Citizen Lab, TAG divulged that from May to September 2023, three Apple-patched zero-days were exploited to deploy Cytrox's Predator spyware.^[5] While Google has acknowledged CVE-2023-5217's active exploitation, detailed insights into these incidents are still pending from the company, underscoring the ongoing challenge and complexity in managing and unraveling the web of cyber threats and exploits.

Importance of timely updates

In light of the identified vulnerability, the importance of timely updates cannot be overstressed. Users are urged to actively check for updates and install them post-haste to ensure that they are protected against potential exploitations of this security flaw. The browser has been designed to automatically check for available updates and proceed with installations after it is launched, a feature that significantly aids in maintaining the software’s security.

Notably, this vulnerability’s active exploitation in spyware attacks and its utilization for installing spyware necessitates urgent action from users to update their browsers. The recent disclosure and corrective measures from Google reflect a proactive approach to managing and mitigating cybersecurity threats, effectively reducing the risk of threat actors devising and implementing their exploits, especially as more technical details about the vulnerability are revealed.