Google has acted swiftly to address the fifth zero-day vulnerability in Chrome that has been exploited in attacks since the beginning of this year.
In an emergency security update released recently, the company released a patch for the security flaw on Chrome 117.0.5938.132.
Fifth Zero-Day on Google Chrome Gets Patched
In a report by Bleeping Computer, Google fixed the most recent zero-day exploit in the system dubbed "CVE-2023-5217."
In a security release that Google wrote on Wednesday, Sept. 27, the vulnerability was described as existing "in the wild." If the company did act immediately to solve the issue, cybercriminals would take advantage of its weakness.
Global Rollout of Security Patch in Chrome 117.0.5938.132
Google says that the patch has been launched worldwide for users with Google Chrome version 17.0.5938.132. It's available not just on Windows but also on other OS such as Linux and Mac via the Stable Desktop channel.
There's no assurance that all users will receive the patched version of Chrome within a single day. While the update won't reach other users, they can always check if there are changes in the announcement.
Automated Updates for Enhanced Security
As part of its security measures, Google's web browser regularly checks for new updates and, in most cases, will automatically install them upon the next browser launch. This automated approach ensures that users benefit from the latest security enhancements without any significant effort.
.@_clem1 discovered another ITW 0-day in use by a commercial surveillance vendor: CVE-2023-5217. Thank you to Chrome for releasing a patch in TWO 🤯day!! https://t.co/QhzJonwLXi
— Maddie Stone (@maddiestone) September 27, 2023
Related Article: Chrome Zero-Day Vulnerability: North Korean Hackers Bring Threats to US Targets, Same One in Past Years
Understanding the Severity of CVE-2023-5217
The zero-day vulnerability, CVE-2023-5217, is categorized as high-severity. It stems from a heap buffer overflow weakness found in the VP8 encoding of the open-source libvpx video codec library. This type of vulnerability can have a wide-ranging impact, from causing application crashes to enabling attackers to execute arbitrary code on affected systems.
According to Hacker News, here are the four zero-day vulnerabilities that were fixed previously.
- CVE-2023-2033 (CVSS score: 8.8) - Type confusion in V8
- CVE-2023-2136 (CVSS score: 9.6) - Integer overflow in Skia
- CVE-2023-3079 (CVSS score: 8.8) - Type confusion in V8
- CVE-2023-4863 (CVSS score: 8.8) - Heap buffer overflow in WebP
The zero-day vulnerability was originally identified by Clément Lecigne, a security researcher with Google Threat Analysis Group (TAG).
The security community respects TAG researchers for their role in discovering and reporting zero-days, often exploited in targeted attacks by government-sponsored threat actors.
The seriousness of this zero-day is highlighted by the fact that it has already been exploited in the wild to install spyware on targeted systems. However, Google has not yet shared detailed information about the specific incidents or the extent of this exploitation.
Proactive Measures for User Safety
By releasing an emergency patch, Google has taken a proactive approach to protect Chrome users from potential attacks, leveraging this zero-day. This approach can be crucial in minimizing the risk of threat actors developing and using their own exploits in real-world scenarios, especially as more technical details of the vulnerability become available.
