Google has patched the fifth Chrome zero-day vulnerability exploited in assaults because the begin of the 12 months in emergency safety updates launched immediately.
“Google is conscious that an exploit for CVE-2023-5217 exists within the wild,” the corporate revealed in a safety advisory printed on Wednesday.
The safety vulnerability is addressed in Google Chrome 117.0.5938.132, rolling out worldwide to Home windows, Mac, and Linux customers within the Steady Desktop channel.
Whereas the advisory says it should possible take days or perhaps weeks till the patched model reaches the complete consumer base, the replace was instantly obtainable when BleepingComputer checked for updates.
The net browser will even auto-check for brand spanking new updates and mechanically set up them after the subsequent launch.
Reported by Google TAG
The high-severity zero-day vulnerability (CVE-2023-5217) is attributable to a heap buffer overflow weak spot within the VP8 encoding of the open-source libvpx video codec library, a flaw whose impression ranges from app crashes to arbitrary code execution.
The bug was reported by Google Menace Evaluation Group (TAG) safety researcher Clément Lecigne on Monday, September 25.
Google TAG researchers are recognized for occasionally discovering and reporting zero-days abused in focused adware assaults by government-sponsored menace actors and hacking teams concentrating on high-risk people comparable to journalists and opposition politicians.
As an illustration, with Citizen Lab researchers, Google TAG revealed on Friday that three zero-days patched by Apple final Thursday had been used to set up Cytrox’s Predator adware between Might and September 2023.
Whereas Google mentioned immediately that the CVE-2023-5217 zero-day had been exploited in assaults, the corporate has but to share extra info concerning these incidents.
“Entry to bug particulars and hyperlinks could also be stored restricted till a majority of customers are up to date with a repair,” Google mentioned. “We will even retain restrictions if the bug exists in a 3rd occasion library that different initiatives equally rely on, however have not but mounted.”
As a direct end result, Google Chrome customers can have sufficient time to replace their browsers as a preemptive measure towards potential assaults.
This proactive method can assist mitigate the chance of menace actors creating their very own exploits and deploying them in real-world situations, notably as extra technical particulars grow to be obtainable.
Google mounted one other zero-day (tracked as CVE-2023-4863) exploited within the wild two weeks in the past, the fourth one because the begin of the 12 months.
Whereas first marking it as a Chrome flaw, the corporate later assigned one other CVE (CVE-2023-5129) and a most 10/10 severity ranking, tagging it as a important safety vulnerability in libwebp (a library utilized by a lot of initiatives, together with Sign, 1Password, Mozilla Firefox, Microsoft Edge, Apple’s Safari, and the native Android net browser).
