Google has rolled out a security update for Chrome 116 to fix a critical zero-day vulnerability, CVE-2023-4863. This is the fourth zero-day flaw found in the browser in 2023. The issue, classified as 'critical severity', is a heap buffer overflow problem in the WebP component, a modern image format that offers better compression and quality compared to JPEG and PNG formats, and is supported by all current browsers including Chrome, Firefox, Safari, Edge, and Opera.
Google has acknowledged that an exploit for CVE-2023-4863 is being used in the wild, as per an advisory. The vulnerability was reported to Google on September 6 by Apple's Security Engineering and Architecture (SEAR) and The Citizen Lab at The University of Toronto's Munk School, known for uncovering activities of commercial spyware vendors. In line with Google's policy, no bug bounty will be offered for this flaw.
Heap buffer overflow issues arise when an application writes more data to a heap-allocated memory buffer than it can contain. Such vulnerabilities can be exploited to crash an application and potentially execute arbitrary code. As is typical, Google has not disclosed further details on the bug, nor provided information on the observed exploitation. However, the credit given to SEAR and Citizen Lab for discovering the flaw may suggest that a commercial spyware vendor, who often claim to assist government agencies in lawful surveillance, has exploited the vulnerability. The products these vendors offer frequently target Android users with intricate exploit chains that often include Chrome exploits.
Google's patch for Chrome follows closely on the heels of Apple's announcement of fixes for zero-days in iOS and macOS. The flaws in Apple's products were discovered by Citizen Lab during an analysis of exploitation activity related to NSO Group's Pegasus mercenary spyware.
CVE-2023-4863 is the fourth zero-day vulnerability that Google has patched in Chrome this year. Previously, Google addressed CVE-2023-3079 (type confusion in the V8 engine) in June, and CVE-2023-2033 (type confusion in the V8 engine) and CVE-2023-2136 (integer overflow in Skia) in April. The latest version of Chrome is now being distributed to users as version 116.0.5845.187 for macOS and Linux, and as versions 116.0.5845.187/.188 for Windows.