Google took swift action to fix a serious zero-day flaw in its Chrome browser that a commercial spyware vendor had exploited.
Just two days before the patch's launch, Clement Lecigne of Google's Threat Analysis Group (TAG) informed the Chrome team of the vulnerability, which was assigned the identification CVE-2023-5217. According to TechCrunch, Google has admitted that this vulnerability was exploited, but it has not provided any more information about the cyberattacks that use the zero-day.
In a post on X (formerly Twitter), TAG researcher Maddie Stone noted that this specific Chrome vulnerability has been used to install spyware. The zero-day vulnerability was referred to as a "heap buffer overflow in vp8 encoding in libvpx."
Google Sends Out Patch
Google Chrome version 117.0.5938.132, which is presently being distributed to Windows, Macs, and Linux users in the Stable Desktop channel, has a remedy for this zero-day vulnerability.
Between May and September 2023, three zero-days that Apple fixed last Thursday were used to spread Cytrox's Predator malware, according to Google TAG researchers working with Citizen Lab researchers. Google has acknowledged using CVE-2023-5217 but has not yet offered any details on those particular cases.
Read Also: Big Tech Firms Loosening Safeguards on Content Moderation Ahead of 2024 Elections, Sparking Concerns
According to Google, access to bug information and links may be restricted until the majority of users have received the patch. If the limitation is in a third-party library that other projects similarly rely on but have not yet rectified, the tech firm also keeps the restriction.
.@_clem1 discovered another ITW 0-day in use by a commercial surveillance vendor: CVE-2023-5217. Thank you to Chrome for releasing a patch in TWO 🤯day!! https://t.co/QhzJonwLXi
— Maddie Stone (@maddiestone) September 27, 2023
Zero-Day Vulnerability Surge in 2023
This strategy gives users of Google Chrome plenty of time to update their browsers in advance, lowering the possibility of threat actors creating and using their own vulnerabilities.
According to Tech Monitor, in 2023, zero-day vulnerabilities increased compared to the previous year. Google's Project Zero has found 45 zero-day exploits this year, up from 41 in 2022.
This month, CVE-2023-4863, a zero-day vulnerability, affected Microsoft Edge, Mozilla Firefox, and Safari. According to Bleeping Computer, Google had released a Chrome patch to remedy this issue. The bug has received a new CVE, increasing the severity level because it may have a wider impact on different apps that rely on the WebP library.
These zero-day vulnerabilities are in high demand by surveillance companies because they serve as the foundation for spyware, including NSO Group programs like Pegasus. Early this month, Apple and Citizen Lab discovered a vulnerability in iPhones running the newest iOS that allowed illegal access without user engagement.
Zero-day vulnerabilities are unpatched system or device flaws. Attacks on such vulnerabilities are called zero-day exploits. They heighten cyberattack risks for users as cybercriminals quickly leverage these flaws to carry out their unlawful activities. According to Trend, zero-day vulnerabilities stay exposed until the vendor patches them.
Related Article: iPhone 15 Pro Facing Overheating Concerns; Apple to Address Issue
