View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
September 28, 2023

Google patches a new and critical zero-day Chrome browser vulnerability

It is feared the flaw in the tech giant's browser is already being exploited by surveillance software vendors.

By Claudia Glover

Google has released a patch for the second critical zero-day vulnerability of the year in its browser, Chrome. The exploit has been given a severity rating of 10, which is the highest possible. These flaws are widespread, spanning browsers and streaming sites, and appear to have been used by commercial surveillance vendors. 

Google Headquarters office buildings in the sun. Google is also responsible of mass layoffs
Google releases patch for fifth zero-day vulnerability this year (Photo by Uladzik Kryhin/Shutterstock)

The vulnerability, tracked as CVE-2023-5217, is the second of this kind of zero-day exploit this month after Google acknowledged a heap buffer overflow flaw in encoding another web code library called WebP on 12 September. This latest exploit is caused by another heap buffer overflow weakness in encoding open-source software library Libvpx. These kinds of bugs can lead to systems malfunctioning and crashing, the tech giant said.

Google released an update yesterday explaining that it is “aware that an exploit for CVE-2023-5217 exists in the wild”, alongside a list of fixes for 2023’s other Google exploits. The vulnerability is addressed by Google Chrome as 117.0.5938.132 and is being rolled out worldwide to Windows, Mac and Linux users in the Stable Desktop channel.

The advisory states that the fix will be installed over the coming weeks. The browser will also auto-check for new updates and automatically install them for the next launch.

The exploit appears to be widespread and dangerous. Google security researcher Maddie Stone that she believes the vulnerability is already being exploited.

Big Tech zero-day vulnerabilities in 2023

These vulnerabilities are following an emerging pattern in 2023, with the number of dangerous zero-day vulnerabilities discovered in Big Tech software on the rise. Google’s Project Zero, which tracks zero-day bugs being exploited in the wild, has already logged 45 such problems in 2023, compared with 41 in the whole of 2022.

Content from our partners
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape

Earlier this month, Microsoft Edge, Mozilla Firefox and Apple’s Safari browser were all impacted by the single zero-day vulnerability, tracked as CVE-2023-4863, which Google had to patch for Chrome.

A new CVE was assigned to this flaw this week, upping the severity rating to another maximum of 10. The bug was reassigned because the flaw did not just affect Google, but also affects most other applications that rely on the WebP library, indicating it could be far more widespread than previously thought.

Such vulnerabilities are particularly valuable to surveillance companies, as they can be used as the basis of spyware such as the controversial Pegasus tool developed by the NSO Group. Earlier this month, Apple and the Citizen Lab project disclosed a vulnerability in iPhones running the latest iOS, which allowed access to the device without any interaction from the victim.

An update was also released for these vulnerabilities, tracked as CVE-2023-41064 and CVE-2023-41061. “Processing a maliciously crafted image may lead to arbitrary code execution,” the company said in a statement. “Apple is aware of a report that this issue may have been actively exploited.”

Read more: The zero-day vulnerability trade is lucrative but risky

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.