Navigating the Urgency: Actively Exploited Zero-Day in Chrome Finally Resolved
If you're among the billions of internet users who rely on Google Chrome for web browsing, it's time to take immediate action. Google has recently addressed a critical, actively exploited zero-day vulnerability in its Chrome browser, marking the fifth such incident in 2023 alone. In this comprehensive guide, we'll dissect the nature of this actively exploited zero-day in Chrome, identified as CVE-2023-5217, and what it means for cybersecurity going forward.
What is a Zero-Day Vulnerability?
A “zero-day” is a software vulnerability that is unknown to the vendor, leaving them with ‘zero days' to fix it before it becomes a potential security risk. Zero-day vulnerabilities are especially critical because they can be exploited by hackers before a patch becomes available. The recent Chrome vulnerability serves as a crucial example of an actively exploited zero-day.
The Discovery of CVE-2023-5217
Google's internal Threat Analysis Group (TAG), in collaboration with cybersecurity researchers, brought this high-severity, actively exploited zero-day in Chrome to light. The flaw centers around a heap-based buffer overflow in the VP8 compression format in libvpx. This is an open-source software video codec library developed by Google and the Alliance for Open Media (AOMedia).
Clément Lecigne from Google's TAG was credited for discovering this vulnerability on September 25, 2023. His fellow researcher Maddie Stone brought further attention to it by acknowledging its exploitation by a commercial spyware company targeting high-risk individuals. Google later confirmed that it was aware that an exploit for CVE-2023-5217 exists in the wild.
Understanding Heap-Based Buffer Overflow
Heap-based buffer overflow vulnerabilities can lead to various outcomes, including program crashes or the execution of arbitrary code. By taking advantage of this, a malicious actor could compromise the integrity and availability of the targeted system. For an in-depth understanding, refer to this guide on buffer overflow.
Previous Zero-Days in 2023
This newly identified vulnerability marks the fifth zero-day to plague Chrome users this year. The previous ones were:
- CVE-2023-2033 (CVSS score: 8.8) – Type confusion in V8
- CVE-2023-2136 (CVSS score: 9.6) – Integer overflow in Skia
- CVE-2023-3079 (CVSS score: 8.8) – Type confusion in V8
- CVE-2023-4863 (CVSS score: 8.8) – Heap buffer overflow in WebP
The Spyware Angle
It's suggested that Israeli spyware maker Cytrox may have exploited another recently patched Chrome vulnerability (CVE-2023-4762) to deliver Predator spyware. While information about these in-the-wild attacks remains limited, it brings up the rising concern of state-sponsored cyber-espionage.
The Bigger Cybersecurity Picture
This development comes hot on the heels of Google assigning a new CVE identifier, CVE-2023-5129, to another critical flaw in the libwebp image library. This too has been actively exploited, considering its broad attack surface.
Remedial Actions
Google recommends users upgrade to Chrome version 117.0.5938.132 across Windows, macOS, and Linux to mitigate potential threats. Similarly, Chromium-based browsers like Microsoft Edge, Brave, Opera, and Vivaldi should also update as fixes become available. For the most current update instructions, refer to Google's official patch notice.
Mozilla and Microsoft's Response
On a related note, Mozilla released Firefox updates to fix CVE-2023-5217. Microsoft also rolled out updates to remediate both CVE-2023-4863 and the actively exploited zero-day in Chrome, CVE-2023-5217. Microsoft did not confirm whether its own products, like Edge, Skype, and Teams, were impacted.
Conclusion
The repeated discovery of actively exploited zero-day vulnerabilities in popular software like Chrome should serve as a wake-up call for both individual users and the tech industry at large. By staying updated on the latest patches and employing robust security measures, users can defend against the ever-evolving threat landscape.
Given the frequent occurrence of these vulnerabilities, staying vigilant and updated is no longer optional; it's a necessity.
FAQs
What is a Zero-Day vulnerability?
A Zero-Day vulnerability refers to a software flaw that is unknown to the vendor and is actively being exploited by malicious actors before it can be patched.
What is the CVE identifier for this Chrome vulnerability?
The specific vulnerability is tracked as CVE-2023-5217.
What type of vulnerability is CVE-2023-5217?
CVE-2023-5217 is a heap-based buffer overflow vulnerability in the VP8 compression format in libvpx.
Who discovered this vulnerability?
Clément Lecigne of Google's Threat Analysis Group (TAG) is credited with discovering and reporting this flaw.
Has this vulnerability been exploited?
Yes, it has been actively exploited, and Google acknowledges that an “exploit exists in the wild.”
Who is being targeted?
Though specific details are sparse, it has been noted that a commercial spyware vendor has been exploiting the vulnerability to target high-risk individuals.
What could an attacker do with this vulnerability?
Exploiting this vulnerability can result in program crashes and could potentially allow the execution of arbitrary code, impacting both availability and integrity of the system.
What should I do to protect myself?
It's crucial to update your Chrome browser immediately to version 117.0.5938.132 to mitigate this threat.
Is this the first Zero-Day for Chrome in 2023?
No, this marks the fifth such vulnerability in Chrome for which patches have been released this year.
Are other browsers affected?
Users of Chromium-based browsers like Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply fixes as they become available.
What about Firefox and Microsoft browsers?
Both Mozilla and Microsoft have released updates to remediate similar vulnerabilities, though it is not confirmed if their products were exploited in the wild.
Is there any suspicion about who might be exploiting this vulnerability?
It's suspected that Israeli spyware maker Cytrox may have exploited a recently patched Chrome vulnerability as a zero-day to deliver Predator.
What other Zero-Day vulnerabilities have been patched this year for Chrome?
Some of the other vulnerabilities include CVE-2023-2033, CVE-2023-2136, CVE-2023-3079, and CVE-2023-4863, among others.
Where can I read more about Zero-Day vulnerabilities?
For more in-depth information, you can visit US-CERT or CVE Details.
How can I keep track of updates and security news?
To stay updated, follow trusted cybersecurity news platforms and social media channels.
Kevin Bong was formerly the Director of Corporate Security for Johnson Financial Group, and currently works as an Information Assurance Consultant for SynerComm, Inc. Kevin has a BS in Physics and Computer Science from Carroll University, an MS in Information Security Engineering from the SANS Institute, and has earned multiple certifications including PMP and GIAC GSE. Kevin is also an amateur astronomer, beekeeper, an author and instructor, and a pretty neat dad. Prior to Impulsec, Kevin worked a Penetration Testing “Drop Box” project similar to the Pwnie Express called the MiniPwner.
Leave a Reply