Google Releases Patch for Fifth Actively Exploited Chrome Zero-Day of 2023
In a swift response to the fifth newly discovered zero-day vulnerability in the Chrome browser, Google has released essential fixes. This high-severity vulnerability, officially designated as – “CVE-2023-5217” and discovered by – “Clement Lecigne” a member of Google’s Threat Analysis Group (TAG), is causing quite a stir in the cybersecurity community.
CVE-2023-5217 is not just any ordinary vulnerability. It is a heap-based buffer overflow that resides in the VP8 compression format within libvpx, a renowned free software video codec library developed by Google in collaboration with the Alliance for Open Media (AOMedia).
Such buffer overflow vulnerabilities are notorious for their potential to wreak havoc. The exploitation of heap-based buffer overflow vulnerabilities like CVE-2023-5217 can have far-reaching consequences like – execution of Arbitrary code, impact on availability and integrity of the affected system, and program crashes.
Unfortunately, this vulnerability didn’t go ignored by cybercriminals. Maddie Stone, a fellow researcher, revealed on social media that a commercial spyware vendor had exploited CVE-2023-5217 to target high-risk individuals. This underscores the critical need for prompt action.
While Google acknowledges the existence of an exploit for CVE-2023-5217 in the wild, they have not provided additional details at the time. However, their quick response in releasing fixes is commendable.
The discovery of CVE-2030-5217 marks the fifth zero-day vulnerability in Google Chrome this year. Let’s recap the challenges that Chrome has faced:
- CVE-2023-2033 – Type confusion in V8; CVSS score: 8.8
- CVE-2023-2136 – Integer overflow in Skia; CVSS score: 9.6
- CVE-2023-3079 – Type confusion in V8; CVSS score: 8.8
- CVE-2023-4763 – Heap buffer overflow in WebP; CVSS score: 8.8
- CVE-2023-4762 – Suspected zero-day exploited by Cytrox to deliver Predator; CVSS score: 8.8
In addition to addressing CVE-2023-5217, Google has assigned a new CVE identifier, CVE-2023-5129, to a critical flaw in the libwebp image library. Originally tracked as CVE-2023-4863, this vulnerability has also been under active exploitation in the wild due to its broad attack surface.
Google strongly recommends upgrading to Chrome version 117.05938.132 for users concerned about their online security.
This update is available for Windows, macOS, and Linux users. Additionally, users of Chromium-based browsers like – Vivaldi, Microsoft Edge, Opera, Brave, etc., should apply the necessary fixes once they are available.
Besides Chrome, Mozilla is the other browser that has taken swift action to address the vulnerability. Firefox updates have been released to fix CVE-2023-5217, and the issue has been successfully resolved in the following versions:
- Firefox 118.0.1
- Firefox ESR 115.3.1
- Firefox Focus for Andriod 118.1
- Firefox for Andriod 118.1
Protect Your Website and Data against Vulnerability, Cyber Threats and Breaches with Web Security Services!
– IT Security Service & Solutions