View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
September 12, 2023updated 13 Sep 2023 9:17am

Zero-day vulnerability in Google Chrome browser exploited in the wild

Google confirmed that the flaw, now patched, was caused by a heap buffer overflow condition and has been exploited in the recent past.

By Claudia Glover

A critical vulnerability in Google‘s Chrome web browser has been exploited in the wild, the tech giant has admitted in a new security update. Named CVE-2023-4863 by the search giant, the flaw – patched by the update – is a ‘zero-day’ vulnerability with no known remedy and was caused by a “WebP heap buffer overflow” weakness in the Chrome browser. When exploited, the flaw can allow outside parties to run commands on target devices remotely. Google added that it was “aware that an exploit for CVE-2023-4863 exists in the wild,” but did not provide further details about the vulnerability.  

Google’s Chrome was recently exploited. (Photo by Ink Drop/Shutterstock)

“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Google said. “We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven’t yet fixed.”

This means that Chrome users can update their browsers to thwart new attacks before the release of additional technical specifics, which could allow more threat actors to create their own exploits and deploy them in the wild. The new, vulnerability-free version of the browser is expected to roll out to the browser’s entire user base over the coming weeks.

A zero-day for Google Chrome

The vulnerability was originally reported to Google by the Apple Security Engineering and Architecture (SEAR) and The Citizen Lab at the University of Toronto’s Munk School on 6 September.

The Citizen Lab also tagged one of two zero-day vulnerabilities within Apple’s systems late last week, resulting in exploitation in the wild and the targeting of iPhone and Mac users. These flaws have been tracked as CVE-2023-41064 and CVE-2023-41061. 

The company, much like Google, hastily released security updates to mitigate the risks of the zero-day vulnerabilities being abused by cybercriminals. “Apple is aware of a report that this issue may have been actively exploited,” the company revealed in security advisories describing the flaws.

The Citizen Lab also discovered that the Apple vulnerability is being abused by the NSO Group, a controversial commercial spyware company based in Israel, to upload its Pegasus spyware onto iPhones. The platform revealed that the vulnerabilities were actively abused as part of a zero-click iMessage exploit chain named BLASTPASS, used to deploy NSO Group’s Pegasus software onto fully-patched iPhones running iOS (16.6). 

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

Read More: Microsoft admits IE flaw caused Google hack

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU