Google has promptly addressed a critical zero-day vulnerability, CVE-2023-5217, in its Chrome browser that was actively exploited by a commercial spyware vendor to target high-risk individuals.
Furthermore, this high-severity flaw was identified as a heap-based buffer overflow in the VP8 compression format within libvpx, a video codec library developed by Google and the Alliance for Open Media. The exploitation of such vulnerabilities can lead to program crashes or the execution of arbitrary code, compromising system availability and integrity.
The discovery of this zero-day vulnerability was credited to Clément Lecigne of Google’s Threat Analysis Group (TAG), who reported it on September 25, 2023. Google confirmed the existence of an exploit in the wild but did not disclose further details about the attack. This incident marks the fifth zero-day vulnerability in Google Chrome that has been patched in 2023. The previous ones include CVE-2023-2033, CVE-2023-2136, CVE-2023-3079, and CVE-2023-4863.
To safeguard against potential threats, users are strongly advised to update their Chrome browser to version 117.0.5938.132, available for Windows, macOS, and Linux. Additionally, users of Chromium-based browsers like Microsoft Edge, Brave, Opera, and Vivaldi should apply the available patches promptly when they become available. This swift response from Google highlights the ongoing challenges and importance of staying vigilant in the face of ever-evolving cyber threats.