Google has released a patch for the second critical zero-day vulnerability of the year in its browser, Chrome. The exploit has been given a severity rating of 10, which is the highest possible. These flaws are widespread, spanning browsers and streaming sites, and appear to have been used by commercial surveillance vendors.
The vulnerability, tracked as CVE-2023-5217, is the second of this kind of zero-day exploit this month after Google acknowledged a heap buffer overflow flaw in encoding another web code library called WebP on 12 September. This latest exploit is caused by another heap buffer overflow weakness in encoding open-source software library Libvpx. These kinds of bugs can lead to systems malfunctioning and crashing, the tech giant said.
Google released an update yesterday explaining that it is “aware that an exploit for CVE-2023-5217 exists in the wild”, alongside a list of fixes for 2023’s other Google exploits. The vulnerability is addressed by Google Chrome as 117.0.5938.132 and is being rolled out worldwide to Windows, Mac and Linux users in the Stable Desktop channel.
The advisory states that the fix will be installed over the coming weeks. The browser will also auto-check for new updates and automatically install them for the next launch.
The exploit appears to be widespread and dangerous. Google security researcher Maddie Stone that she believes the vulnerability is already being exploited.
Big Tech zero-day vulnerabilities in 2023
These vulnerabilities are following an emerging pattern in 2023, with the number of dangerous zero-day vulnerabilities discovered in Big Tech software on the rise. Google’s Project Zero, which tracks zero-day bugs being exploited in the wild, has already logged 45 such problems in 2023, compared with 41 in the whole of 2022.
Earlier this month, Microsoft Edge, Mozilla Firefox and Apple’s Safari browser were all impacted by the single zero-day vulnerability, tracked as CVE-2023-4863, which Google had to patch for Chrome.
A new CVE was assigned to this flaw this week, upping the severity rating to another maximum of 10. The bug was reassigned because the flaw did not just affect Google, but also affects most other applications that rely on the WebP library, indicating it could be far more widespread than previously thought.
Such vulnerabilities are particularly valuable to surveillance companies, as they can be used as the basis of spyware such as the controversial Pegasus tool developed by the NSO Group. Earlier this month, Apple and the Citizen Lab project disclosed a vulnerability in iPhones running the latest iOS, which allowed access to the device without any interaction from the victim.
An update was also released for these vulnerabilities, tracked as CVE-2023-41064 and CVE-2023-41061. “Processing a maliciously crafted image may lead to arbitrary code execution,” the company said in a statement. “Apple is aware of a report that this issue may have been actively exploited.”