Google has mounted a zero-day vulnerability in its Chrome browser {that a} business vendor has already been actively exploiting to drop surveillance software program on course techniques.
And it is the third Chrome zero-day bug that Google has disclosed in latest days that is related to spying exercise.
Reminiscence Corruption Vulnerabilities
The brand new buffer overflow challenge that Google is monitoring as CVE-2023-5217 stems from the implementation of a video compression format in a software program library that Chrome makes use of. The flaw is remotely exploitable and offers attackers a technique to achieve distant code execution on a goal system by manipulating heap reminiscence by way of a maliciously crafted HTML web page. It’s current in variations of Google Chrome previous to 117.0.5938.132 and variations of the libvpx library earlier than 1.13.1.
Google’s Chrome group credited a member of the corporate’s Menace Evaluation Group (TAG) for locating and reporting the zero-day menace on Sept. 25. The corporate issued a patch for it on Sept. 27. In a submit on X, previously Twitter, TAG safety researcher Maddie Stone described the bug as a zero-day {that a} business surveillance vendor was exploiting on the time of patch launch.
Stone’s tweet didn’t determine the seller by title, however in latest days Google has pointed to a surveillance vendor named Intellexa as abusing a earlier Chrome zero-day (CVE-2023-4762) to drop a spying device known as Predator on course Android units in Egypt. Google patched that bug on Sept. 5 after a safety researcher notified the corporate in regards to the menace.
A Flurry of Zero-Days
CVE-2023-5217 is definitely the sixth zero-day vulnerability that Google has disclosed in Chrome this yr. It’s the third vulnerability the corporate has rushed to patch simply this month that seems related to spying exercise.
On Sept. 11, Google disclosed a important vulnerability recognized as CVE-2023-4863 that affected Google Chrome variations for Home windows, macOS, and Linux. The buffer overflow vulnerability, in a Chrome library associated to picture processing (libwebp), gave attackers a technique to write arbitrary code on course techniques utilizing maliciously crafted HTML photos. Google recognized CVE-2023-4863 as a vulnerability that attackers have been already exploiting, however didn’t provide any particulars.
Google found the vulnerability after researchers at Apple and the College of Toronto’s The Citizen Lab notified the corporate about discovering a safety challenge in libwebp that an attacker had abused to drop the infamous Pegasus spy ware on course iPhones. Although Google and Apple have assigned completely different CVEs — Apple’s identifier for the libwebp bug is CVE-2023-41064 — some safety researchers have stated it’s probably that the bugs are basically the identical since they exist in the identical library and have similar traits.
Along with these three zero-days, Google disclosed three different Chrome bugs this yr that attackers have been actively exploiting earlier than the corporate had a patch for them.
In June, Google disclosed CVE-2023-3079, a so-called kind confusion error within the V8 JavaScript engine in Chrome that an attacker may exploit by way of a specifically crafted HTML web page. Google disclosed the opposite two zero-days in April. One was an integer overflow challenge within the Skia open supply graphics library, tracked as CVE-2023-2136, and the opposite is CVE-2023-2033, additionally a kind confusion error in V8 that an attacker can exploit by way of a malicious HTML web page. Menace actors have been actively exploiting all three vulnerabilities on the time of patching.
