Chrome Flags Third Zero-Day This Month That is Tied to Spying Exploits #Imaginations Hub

Chrome Flags Third Zero-Day This Month That is Tied to Spying Exploits #Imaginations Hub
Image source -

Google has mounted a zero-day vulnerability in its Chrome browser {that a} business vendor has already been actively exploiting to drop surveillance software program on course techniques.

And it is the third Chrome zero-day bug that Google has disclosed in latest days that is linked to spying exercise.

Reminiscence Corruption Vulnerabilities

The brand new buffer overflow concern that Google is monitoring as CVE-2023-5217 stems from the implementation of a video compression format in a software program library that Chrome makes use of. The flaw is remotely exploitable and provides attackers a strategy to acquire distant code execution on a goal system by manipulating heap reminiscence by way of a maliciously crafted HTML web page. It’s current in variations of Google Chrome previous to 117.0.5938.132 and variations of the libvpx library earlier than 1.13.1.

Google’s Chrome staff credited a member of the corporate’s Risk Evaluation Group (TAG) for locating and reporting the zero-day risk on Sept. 25. The corporate issued a patch for it on Sept. 27. In a put up on X, previously Twitter, TAG safety researcher Maddie Stone described the bug as a zero-day {that a} business surveillance vendor was exploiting on the time of patch launch.

Stone’s tweet didn’t determine the seller by identify, however in latest days Google has pointed to a surveillance vendor named Intellexa as abusing a earlier Chrome zero-day (CVE-2023-4762) to drop a spying instrument known as Predator on course Android gadgets in Egypt. Google patched that bug on Sept. 5 after a safety researcher notified the corporate in regards to the risk.

A Flurry of Zero-Days

CVE-2023-5217 is definitely the sixth zero-day vulnerability that Google has disclosed in Chrome this yr. It’s the third vulnerability the corporate has rushed to patch simply this month that seems linked to spying exercise.

On Sept. 11, Google disclosed a essential vulnerability recognized as CVE-2023-4863 that affected Google Chrome variations for Home windows, macOS, and Linux. The buffer overflow vulnerability, in a Chrome library associated to picture processing (libwebp), gave attackers a strategy to write arbitrary code on course techniques utilizing maliciously crafted HTML photos. Google recognized CVE-2023-4863 as a vulnerability that attackers have been already exploiting, however didn’t supply any particulars.

Google found the vulnerability after researchers at Apple and the College of Toronto’s The Citizen Lab notified the corporate about discovering a safety concern in libwebp that an attacker had abused to drop the infamous Pegasus spy ware on course iPhones. Although Google and Apple have assigned totally different CVEs — Apple’s identifier for the libwebp bug is CVE-2023-41064 — some safety researchers have stated it’s doubtless that the bugs are primarily the identical since they exist in the identical library and have an identical traits.

Along with these three zero-days, Google disclosed three different Chrome bugs this yr that attackers have been actively exploiting earlier than the corporate had a patch for them.

In June, Google disclosed CVE-2023-3079, a so-called kind confusion error within the V8 JavaScript engine in Chrome that an attacker might exploit by way of a specifically crafted HTML web page. Google disclosed the opposite two zero-days in April. One was an integer overflow concern within the Skia open supply graphics library, tracked as CVE-2023-2136, and the opposite is CVE-2023-2033, additionally a kind confusion error in V8 that an attacker can exploit by way of a malicious HTML web page. Risk actors have been actively exploiting all three vulnerabilities on the time of patching.

Related articles

You may also be interested in