Chrome Flags Third Zero-Day This Month That's Tied to Spying ExploitsChrome Flags Third Zero-Day This Month That's Tied to Spying Exploits
So far this year, Google has disclosed six vulnerabilities that attackers were actively exploiting before the company had a patch for them.
September 28, 2023
Google has fixed a zero-day vulnerability in its Chrome browser that a commercial vendor has already been actively exploiting to drop surveillance software on target systems.
And it's the third Chrome zero-day bug that Google has disclosed in recent days that's connected to spying activity.
Memory Corruption Vulnerabilities
The new buffer overflow issue that Google is tracking as CVE-2023-5217 stems from the implementation of a video compression format in a software library that Chrome uses. The flaw is remotely exploitable and gives attackers a way to gain remote code execution on a target system by manipulating heap memory via a maliciously crafted HTML page. It is present in versions of Google Chrome prior to 117.0.5938.132 and versions of the libvpx library before 1.13.1.
Google's Chrome team credited a member of the company's Threat Analysis Group (TAG) for discovering and reporting the zero-day threat on Sept. 25. The company issued a patch for it on Sept. 27. In a post on X, formerly Twitter, TAG security researcher Maddie Stone described the bug as a zero-day that a commercial surveillance vendor was exploiting at the time of patch release.
Stone's tweet did not identify the vendor by name, but in recent days Google has pointed to a surveillance vendor named Intellexa as abusing a previous Chrome zero-day (CVE-2023-4762) to drop a spying tool called Predator on target Android devices in Egypt. Google patched that bug on Sept. 5 after a security researcher notified the company about the threat.
A Flurry of Zero-Days
CVE-2023-5217 is actually the sixth zero-day vulnerability that Google has disclosed in Chrome this year. It is the third vulnerability the company has rushed to patch just this month that appears connected to spying activity.
On Sept. 11, Google disclosed a critical vulnerability identified as CVE-2023-4863 that affected Google Chrome versions for Windows, macOS, and Linux. The buffer overflow vulnerability, in a Chrome library related to image processing (libwebp), gave attackers a way to write arbitrary code on target systems using maliciously crafted HTML images. Google identified CVE-2023-4863 as a vulnerability that attackers were already exploiting, but did not offer any details.
Google discovered the vulnerability after researchers at Apple and the University of Toronto's The Citizen Lab notified the company about finding a security issue in libwebp that an attacker had abused to drop the notorious Pegasus spyware on target iPhones. Though Google and Apple have assigned different CVEs — Apple's identifier for the libwebp bug is CVE-2023-41064 — some security researchers have said it is likely that the bugs are essentially the same since they exist in the same library and have identical characteristics.
In addition to these three zero-days, Google disclosed three other Chrome bugs this year that attackers were actively exploiting before the company had a patch for them.
About the Author(s)
You May Also Like
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023
What's In Your Cloud?Nov 30, 2023
Everything You Need to Know About DNS AttacksNov 30, 2023
9 Traits You Need to Succeed as a Cybersecurity Leader
The Ultimate Guide to the CISSP
The Burnout Breach: How employee burnout is emerging as the next frontier in cybersecurity
Modernize your Security Operations with Human-Machine Intelligence
Protecting Critical Infrastructure: The 2021 Energy, Utilities, and Industrials Cyber Threat Landscape Report