A critical vulnerability in Google‘s Chrome web browser has been exploited in the wild, the tech giant has admitted in a new security update. Named CVE-2023-4863 by the search giant, the flaw – patched by the update – is a ‘zero-day’ vulnerability with no known remedy and was caused by a “WebP heap buffer overflow” weakness in the Chrome browser. When exploited, the flaw can allow outside parties to run commands on target devices remotely. Google added that it was “aware that an exploit for CVE-2023-4863 exists in the wild,” but did not provide further details about the vulnerability.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Google said. “We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven’t yet fixed.”
This means that Chrome users can update their browsers to thwart new attacks before the release of additional technical specifics, which could allow more threat actors to create their own exploits and deploy them in the wild. The new, vulnerability-free version of the browser is expected to roll out to the browser’s entire user base over the coming weeks.
A zero-day for Google Chrome
The vulnerability was originally reported to Google by the Apple Security Engineering and Architecture (SEAR) and The Citizen Lab at the University of Toronto’s Munk School on 6 September.
The Citizen Lab also tagged one of two zero-day vulnerabilities within Apple’s systems late last week, resulting in exploitation in the wild and the targeting of iPhone and Mac users. These flaws have been tracked as CVE-2023-41064 and CVE-2023-41061.
The company, much like Google, hastily released security updates to mitigate the risks of the zero-day vulnerabilities being abused by cybercriminals. “Apple is aware of a report that this issue may have been actively exploited,” the company revealed in security advisories describing the flaws.
The Citizen Lab also discovered that the Apple vulnerability is being abused by the NSO Group, a controversial commercial spyware company based in Israel, to upload its Pegasus spyware onto iPhones. The platform revealed that the vulnerabilities were actively abused as part of a zero-click iMessage exploit chain named BLASTPASS, used to deploy NSO Group’s Pegasus software onto fully-patched iPhones running iOS (16.6).