Chrome zero-day exploited in the wild, patch now! (CVE-2023-4863)
Google has rolled out a security update for a critical Chrome zero-day vulnerability (CVE-2023-4863) exploited in the wild.
About the vulnerability (CVE-2023-4863)
CVE-2023-4863 is a critical heap buffer overflow vulnerability in WebP, a raster graphics file format that replaces JPEG, PNG, and GIF file formats.
Buffer overflows can lead to crashes, infinite loops, and can be used to execute arbitrary code.
“The Stable and Extended stable channels has been updated to 116.0.5845.187 for Mac and Linux and 116.0.5845.187/.188 for Windows, which will roll out over the coming days/weeks,” Google has informed.
Chrome generally applies the update automatically when users close and reopen the browser. If the browser hasn’t been closed in a while, users will see a colored icon indicating a pending update. Mac users can also set up automatic browser updates.
Exploitation
Google says that CVE-2023-4863 has been actively exploited in the wild and has been reported by Apple Security Engineering and Architecture (SEAR) and The Citizen Lab at The University of Torontoʼs Munk School.
Google has not yet revealed details about the attack, but urges users to update the browser as soon as possible.
Citizen Lab has recently detected two zero-day vulnerabilities (CVE-2023-41064, CVE-2023-41061) affecting Apple devices. The vulnerabilities have been chained together to deliver NSO Group’s Pegasus spyware to specific high-risk targets.
Apple has fixed one or both of the vulnerabilities in newer as well as older iOS, iPadOS, macOS and watchOS versions, and has advised individuals facing an elevated risk of targeted cyberattacks to activate Lockdown Mode.
UPDATE (September 13, 2023, 04:20 a.m. ET):
Mozilla has fixed the same flaw in Firefox, Firefox ESR, and Thunderbird.
“Opening a malicious WebP image could lead to a heap buffer overflow in the content process. We are aware of this issue being exploited in other products in the wild,” they commented.
UPDATE (September 13, 2023, 06:25 a.m. ET):
It seems that CVE-2023-4863 and CVE-2023-41064, which has been patched by Apple earlier this month, stem from the same source.
The flaw is, in fact, in the libwebp library, which is used by a multitude of software: most browsers (Chrome, Firefox, Breve, Tor Browser, etc.), many Linux distributions (Ubuntu, Debian, Gentoo, SUSE, etc.), password managers (1Password, BitWarden, etc.), and other software (MS Teams, Slack, Telegram, Signal, Basecamp, Discord, GitHub Desktop, etc.).
“Because CVE-2023-4863 was wrongly scoped as a browser vulnerability, most scanners will fail to detect it in cases where the libwebp library is being used as a dependency. Organizations should consider adopting alternative tooling to ensure all instances are detected and can be addressed promptly,” Rezilion researchers advised.
“For software, applications, or packages that dynamically incorporate the libwebp package into their code rather than statically linking it, updating the libwebp library to the latest version is crucial. After the update, it is advisable to restart these applications to ensure the changes take effect.”
UPDATE (September 28, 2023, 03:30 a.m. ET):
Google has submitted a new CVE entry for the same flaw in the libwebp library (CVE-2023-5129), but the ID has been either rejected or withdrawn by Google in the meantime, and the CVE-2023-4863 entry has been expanded to include the impact on libwebp.
UPDATE (September 29, 2023, 04:21 a.m. ET):
Proof-of-concept code for CVE-2023-4863 has been published on GitHub.