View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
September 13, 2023updated 14 Sep 2023 9:57am

Four major browsers impacted by a single zero-day vulnerability

Microsoft Edge, Mozilla Firefox, Google Chrome and Apple's Safari browser have all released patches for CVE-2023-4863.

By Claudia Glover

Google Chrome, Microsoft Edge, Mozilla Firefox and Apple’s Safari browser have all been impacted by a single zero-day vulnerability, it has emerged. The flaw, tracked as CVE-2023-4863, is caused by a heap buffer overflow in the WebP code library. Once exploited it can lead to system crashes and arbitrary code execution, where hackers can gain control over an infected device. 

Popular internet browsers Safari, Chrome, Edge and Firefox. (Photo by Primakov/Shutterstock)

CVE-2023-4863 was first identified by researchers at The Citizen Lab, a research arm of the University of Toronto. The institution subsequently informed Google and Apple of the vulnerability’s existence. Both companies have now released patches. They were joined by Mozilla, which released its own advisory on CVE-2023-4863 yesterday and updates for several versions of its Firefox browser and Thunderbird email client, and Microsoft.

“Microsoft has a fix for CVE-2023-4863 to Microsoft Edge Stable and Extended Stable Channel (Version 116.0.1938.81), which has been reported by the Chromium team as having an exploit in the wild,” Microsoft wrote in its Edge release notes.

The Citizen Lab also discovered that the Apple vulnerability is being abused by the NSO Group, a controversial commercial spyware company based in Israel, to upload its Pegasus spyware onto iPhones. The research organisation revealed that the vulnerabilities were actively abused as part of a zero-click iMessage exploit chain named BLASTPASS, used to deploy NSO Group’s Pegasus software onto fully patched iPhones running iOS (16.6). 

How dangerous is this flaw?

The effects of CVE-2023-4863 may spread even further, explains Chris Hauk, consumer privacy advocate at Pixel Privacy. “Since many browsers, including Microsoft Edge, Brave, Opera, and Vivaldi are built on the Chromium platform, the same platform that Chrome is based on, this could affect their users as well. The same risk is also applicable for Firefox browser clones.”

Such a widespread exploit in ubiquitously used software is dangerous, widening the attack surface for most organisations. “As the flaws allow attackers to remotely run commands on targeted computers, this could lead to organisations experiencing data breaches or having their systems held for ransom,” says Hauk.

Buffer overflow vulnerabilities are highly dangerous, adds Brad Freedman, director of technology at security company SenseOn. “They can allow attackers to execute malicious code on computers by just having them visit a website they control,” he explains.

Content from our partners
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape

Patching will mitigate the risk, but users must act quickly as hackers will already be at work, Freedman explains. “Attackers will be working over the coming days and weeks to make the exploit more reliable meaning remote code execution will be more likely,” he says. “Modern web browsers are exceptionally good at pushing out security updates rapidly and applying them as quickly as practicable, so users will shortly be protected.”

The biggest risk is to organisations which don’t allow automatic updates and push out updates at their own release schedule, continues Freedman. “This is common in governments and large organisations who may instead rely on multiple layers of security controls which are often easy for attackers to bypass.”

Read more: The zero day vulnerability trade remains lucrative but risky

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU