- Zero-Day Crisis Unfolds: The discovery of *CVE-2023-5217* and the urgent need for action.
- Behind the Scenes: Clément Lecigne’s role in uncovering the threat and Google’s commitment to user safety.
- Exploitation in the Shadows: How a commercial spyware vendor leveraged the vulnerability to target high-risk individuals.
- A Growing Threat Landscape: The escalating count of zero-day vulnerabilities in Google Chrome this year.
- A Change in Identity: Google’s decision to reassign a new CVE identifier for a critical flaw in the libwebp image library.
- Protecting Your Digital Domain: Step-by-step guidance on updating Chrome and staying secure.
- The Ever-Present Cybersecurity Challenge: Reflecting on the ongoing battle to safeguard our digital lives.
Details of the Patch
Google has recently released the patch for the Chrome zero-day vulnerability, exploited in various attacks since the start of the year. The security patch is a part of the latest emergency security update available today.
“Google is aware that an exploit for CVE-2023-5217 exists in the wild,” the company revealed in a security advisory published on Wednesday. The vulnerability, identified as CVE-2023-5217, represents a critical threat to users of the popular Chrome browser. Researchers describe it as a “heap-based buffer overflow in the VP8 compression format in libvpx.” This vulnerability poses a grave risk, as it can lead to program crashes or the execution of arbitrary code. It can also potentially compromise the integrity and availability of affected systems.
The Citizen Lab researcher Clément Lecigne of Google’s Threat Analysis Group (TAG) first discovered and reported the vulnerability on September 25, 2023. Lecigne emphasizes the gravity of the situation: “We are committed to safeguarding our users’ online experiences. Detecting and mitigating such vulnerabilities is pivotal in achieving that goal.”
Adding to the urgency of the situation, Maddie Stone, another researcher at Google, sent the tweet on X (formerly Twitter). According to the tweet, a commercial spyware vendor did previously exploit this vulnerability with high-risk individuals in their crosshairs.
While Google has not disclosed specific details about the exploitation, it has officially acknowledged that an exploit for CVE-2023-5217 is circulating in the wild. This acknowledgment underscores the pressing need for users to take immediate action to protect themselves.
This latest revelation marks the fifth zero-day vulnerability discovered in Google Chrome this year. Other vulnerabilities include:
- CVE-2023-2033 (CVSS score: 8.8) – Type confusion in V8
- CVE-2023-2136 (CVSS score: 9.6) – Integer overflow in Skia
- CVE-2023-3079 (CVSS score: 8.8) – Type confusion in V8
- CVE-2023-4863 (CVSS score: 8.8) – Heap buffer overflow in WebP
In a related development, Google has assigned a new CVE identifier, *CVE-2023-5129*, to the critical flaw in the libwebp image library. It was originally tracked as *CVE-2023-4863*. This change reflects the severity and broad attack surface of the vulnerability.
To protect themselves from this clear and present danger, users must to immediately update their Chrome browsers to version 117.0.5938.132 on Windows, macOS, and Linux. Furthermore, users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi should remain vigilant and apply patches as soon as they are available.
Even though Google explains that the CVE-2023-5217 has been exploited in various attacks, it has yet to reveal more information regarding these incidents.
“Access to bug details and links may be restricted until most users are updated with a fix,” Google said. “We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on but haven’t yet fixed.”
The emergency patch will allow Google Chrome users to update their browsers against potential attacks. Google’s proactive approach can help mitigate the risk of threat actors who tailor their exploits to deploy them in real-world scenarios.