Google Patches Chrome Zero-Day Used in Spyware Attacks

Written by

Google has patched three high-severity flaws in the latest release of its Chrome browser, including one zero-day vulnerability it said is being actively exploited in the wild.

Google Chrome 117.0.5938.132 is currently rolling out worldwide to Windows, Mac and Linux users in the Stable desktop channel.

Most noteworthy is a fix for CVE-2023-5217, described as a heap buffer overflow issue in the VP8 encoding of open source libvpx video codec library.

No other details were available on the official Google Chrome update page, although the firm said “access to bug details and links may be kept restricted until a majority of users are updated with a fix.”

However, we do know that it was reported by Clément Lecigne of Google’s Threat Analysis Group (TAG) on Monday. The quick turnaround time for a patch signifies the criticality of the bug.

That was confirmed by TAG researcher, Maddie Stone, who said the vulnerability is “in use by a commercial surveillance vendor.”

Read more on spyware: NSO Group's Pegasus Spyware Found on High-Risk iPhones

It’s unclear exactly who that vendor is at this stage, but there has been a spate of zero-day discoveries of late tied back to commercial spyware makers.

Just last week, Apple patched three zero-day vulnerabilities it claimed may have been actively exploited in the wild on iOS devices. These were discovered by TAG and the non-profit Citizen Lab.

Citizen Lab tied the bugs to Cytrox’s Predator spyware and said they were delivered via links sent on SMS and WhatsApp. They were initially observed targeting Egyptian presidential hopeful, Ahmed Eltantawy.

A previous duo of Apple zero-days used in a “BlastPass” exploit chain were traced to the NSO Group and its Pegasus spyware.

The remaining two high-severity bugs fixed in this Chrome update are CVE-2023-5186, a use-after-free flaw in Passwords, and CVE-2023-5187, a use-after-free bug in Extensions.

Editorial image credit: NiP STUDIO / Shutterstock.com

What’s hot on Infosecurity Magazine?