Google has fastened a zero-day vulnerability in its Chrome browser {that a} business vendor has already been actively exploiting to drop surveillance software program heading in the right direction programs.
And it is the third Chrome zero-day bug that Google has disclosed in current days that is related to spying exercise.
Reminiscence Corruption Vulnerabilities
The brand new buffer overflow challenge that Google is monitoring as CVE-2023-5217 stems from the implementation of a video compression format in a software program library that Chrome makes use of. The flaw is remotely exploitable and provides attackers a method to achieve distant code execution on a goal system by manipulating heap reminiscence by way of a maliciously crafted HTML web page. It’s current in variations of Google Chrome previous to 117.0.5938.132 and variations of the libvpx library earlier than 1.13.1.
Google’s Chrome staff credited a member of the corporate’s Menace Evaluation Group (TAG) for locating and reporting the zero-day menace on Sept. 25. The corporate issued a patch for it on Sept. 27. In a submit on X, previously Twitter, TAG safety researcher Maddie Stone described the bug as a zero-day {that a} business surveillance vendor was exploiting on the time of patch launch.
Stone’s tweet didn’t determine the seller by identify, however in current days Google has pointed to a surveillance vendor named Intellexa as abusing a earlier Chrome zero-day (CVE-2023-4762) to drop a spying device referred to as Predator heading in the right direction Android units in Egypt. Google patched that bug on Sept. 5 after a safety researcher notified the corporate in regards to the menace.
A Flurry of Zero-Days
CVE-2023-5217 is definitely the sixth zero-day vulnerability that Google has disclosed in Chrome this yr. It’s the third vulnerability the corporate has rushed to patch simply this month that seems related to spying exercise.
On Sept. 11, Google disclosed a vital vulnerability recognized as CVE-2023-4863 that affected Google Chrome variations for Home windows, macOS, and Linux. The buffer overflow vulnerability, in a Chrome library associated to picture processing (libwebp), gave attackers a method to write arbitrary code heading in the right direction programs utilizing maliciously crafted HTML photos. Google recognized CVE-2023-4863 as a vulnerability that attackers were already exploitinghowever didn’t supply any particulars.
Google found the vulnerability after researchers at Apple and the College of Toronto’s The Citizen Lab notified the corporate about discovering a safety challenge in libwebp that an attacker had abused to drop the notorious Pegasus spyware heading in the right direction iPhones. Although Google and Apple have assigned completely different CVEs — Apple’s identifier for the libwebp bug is CVE-2023-41064 — some safety researchers have stated it’s probably that the bugs are essentially the same since they exist in the identical library and have equivalent traits.
Along with these three zero-days, Google disclosed three different Chrome bugs this yr that attackers had been actively exploiting earlier than the corporate had a patch for them.
In June, Google disclosed CVE-2023-3079a so-called sort confusion error within the V8 JavaScript engine in Chrome that an attacker might exploit by way of a specifically crafted HTML web page. Google disclosed the opposite two zero-days in April. One was an integer overflow challenge within the Skia open supply graphics library, tracked as CVE-2023-2136and the opposite is CVE-2023-2033additionally a kind confusion error in V8 that an attacker can exploit by way of a malicious HTML web page. Menace actors had been actively exploiting all three vulnerabilities on the time of patching.
Author: Jai Vijayan, Contributing Author, Darkish Studying
Date: 2023-09-28 17:46:00
