Google Chrome, Microsoft Edge, Mozilla Firefox and Apple’s Safari browser have all been impacted by a single zero-day vulnerability, it has emerged. The flaw, tracked as CVE-2023-4863, is caused by a heap buffer overflow in the WebP code library. Once exploited it can lead to system crashes and arbitrary code execution, where hackers can gain control over an infected device.
CVE-2023-4863 was first identified by researchers at The Citizen Lab, a research arm of the University of Toronto. The institution subsequently informed Google and Apple of the vulnerability’s existence. Both companies have now released patches. They were joined by Mozilla, which released its own advisory on CVE-2023-4863 yesterday and updates for several versions of its Firefox browser and Thunderbird email client, and Microsoft.
“Microsoft has a fix for CVE-2023-4863 to Microsoft Edge Stable and Extended Stable Channel (Version 116.0.1938.81), which has been reported by the Chromium team as having an exploit in the wild,” Microsoft wrote in its Edge release notes.
The Citizen Lab also discovered that the Apple vulnerability is being abused by the NSO Group, a controversial commercial spyware company based in Israel, to upload its Pegasus spyware onto iPhones. The research organisation revealed that the vulnerabilities were actively abused as part of a zero-click iMessage exploit chain named BLASTPASS, used to deploy NSO Group’s Pegasus software onto fully patched iPhones running iOS (16.6).
How dangerous is this flaw?
The effects of CVE-2023-4863 may spread even further, explains Chris Hauk, consumer privacy advocate at Pixel Privacy. “Since many browsers, including Microsoft Edge, Brave, Opera, and Vivaldi are built on the Chromium platform, the same platform that Chrome is based on, this could affect their users as well. The same risk is also applicable for Firefox browser clones.”
Such a widespread exploit in ubiquitously used software is dangerous, widening the attack surface for most organisations. “As the flaws allow attackers to remotely run commands on targeted computers, this could lead to organisations experiencing data breaches or having their systems held for ransom,” says Hauk.
Buffer overflow vulnerabilities are highly dangerous, adds Brad Freedman, director of technology at security company SenseOn. “They can allow attackers to execute malicious code on computers by just having them visit a website they control,” he explains.
Patching will mitigate the risk, but users must act quickly as hackers will already be at work, Freedman explains. “Attackers will be working over the coming days and weeks to make the exploit more reliable meaning remote code execution will be more likely,” he says. “Modern web browsers are exceptionally good at pushing out security updates rapidly and applying them as quickly as practicable, so users will shortly be protected.”
The biggest risk is to organisations which don’t allow automatic updates and push out updates at their own release schedule, continues Freedman. “This is common in governments and large organisations who may instead rely on multiple layers of security controls which are often easy for attackers to bypass.”