Google has issued an urgent security patch for the fifth Chrome zero-day vulnerability that has been actively exploited in attacks since the beginning of 2023. In a security advisory released on Wednesday, Google stated that an exploit for CVE-2023-5217 is known to exist in the wild. The patched vulnerability is included in Google Chrome version 117.0.5938.132, which is currently being disseminated to Windows, Mac, and Linux users via the Stable Desktop channel.
While the advisory suggests it could take days or weeks for the patched version to reach all users, the update was immediately accessible when checked for updates. The web browser will also automatically check for and install new updates upon the next launch.
The high-risk zero-day vulnerability (CVE-2023-5217) results from a heap buffer overflow issue in the VP8 encoding of the open-source libvpx video codec library. This flaw can lead to consequences ranging from application crashes to arbitrary code execution. This bug was identified by Clément Lecigne, a security researcher from Google's Threat Analysis Group (TAG), on Monday, September 25.
Google TAG researchers are renowned for frequently discovering and reporting zero-days that are misused in targeted spyware attacks by government-backed threat actors and hacking groups that target high-risk individuals, such as journalists and opposition politicians. For example, Google TAG and Citizen Lab researchers disclosed last Friday that three zero-days fixed by Apple last Thursday were used to install Cytrox's Predator spyware between May and September 2023.
Although Google confirmed that the CVE-2023-5217 zero-day has been exploited in attacks, the company has not yet provided further information about these incidents. "Access to bug details and links may be kept restricted until a majority of users are updated with a fix," Google stated. "We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed."
As a result, Google Chrome users will have ample time to update their browsers to guard against potential attacks. This preventative measure can help reduce the risk of threat actors developing their own exploits and using them in real-world situations, especially as more technical details are made available.
Two weeks ago, Google addressed another zero-day (tracked as CVE-2023-4863) that was being exploited in the wild, marking the fourth one since the start of the year. Initially identified as a Chrome flaw, it was later reclassified with another CVE (CVE-2023-5129) and given a maximum 10/10 severity rating, marking it as a critical security vulnerability in libwebp, a library used by numerous projects, including Signal, 1Password, Mozilla Firefox, Microsoft Edge, Apple's Safari, and the native Android web browser.