Chrome Flags Third Zero-Day This Month Thats Tied to Spying Exploits

  /     /     /  
Publicated : 23/11/2024   Category : security


Chrome Flags Third Zero-Day This Month Thats Tied to Spying Exploits


So far this year, Google has disclosed six vulnerabilities that attackers were actively exploiting before the company had a patch for them.



Google has fixed a zero-day vulnerability in its Chrome browser that a commercial vendor has already been actively exploiting to drop surveillance software on target systems.
And its the third Chrome zero-day bug that Google has disclosed in recent days thats connected to spying activity.
The new buffer overflow issue that Google is tracking as CVE-2023-5217 stems from the implementation of a video compression format in a software library that Chrome uses. The flaw is remotely exploitable and gives attackers a way to gain remote code execution on a target system by manipulating heap memory via a maliciously crafted HTML page. It is present in versions of Google Chrome prior to 117.0.5938.132 and versions of the libvpx library before 1.13.1.
Googles Chrome team
credited
a member of the companys Threat Analysis Group (TAG) for discovering and reporting the zero-day threat on Sept. 25. The company issued a patch for it on Sept. 27. In a post on X, formerly Twitter, TAG security researcher Maddie Stone
described the bug
as a zero-day that a commercial surveillance vendor was exploiting at the time of patch release.
Stones tweet did not identify the vendor by name, but in recent days Google has pointed to a
surveillance vendor named Intellexa
as abusing a previous Chrome zero-day (
CVE-2023-4762
) to drop a spying tool called Predator on target Android devices in Egypt. Google patched that bug on Sept. 5 after a security researcher notified the company about the threat.
CVE-2023-5217 is actually the sixth zero-day vulnerability that Google has disclosed in Chrome this year. It is the third vulnerability the company has rushed to patch just this month that appears connected to spying activity.
On Sept. 11, Google disclosed a critical vulnerability identified as
CVE-2023-4863
that affected Google Chrome versions for Windows, macOS, and Linux. The buffer overflow vulnerability, in a Chrome library related to image processing (libwebp), gave attackers a way to write arbitrary code on target systems using maliciously crafted HTML images. Google identified CVE-2023-4863 as a vulnerability that
attackers were already exploiting
, but did not offer any details.
Google discovered the vulnerability after researchers at Apple and the University of Torontos The Citizen Lab notified the company about finding a security issue in libwebp that an attacker had abused to drop the
notorious Pegasus spyware
on target iPhones. Though Google and Apple have assigned different CVEs — Apples identifier for the libwebp bug is
CVE-2023-41064
— some security researchers have said it is likely that the
bugs are essentially the same
since they exist in the same library and have identical characteristics.
In addition to these three zero-days, Google disclosed three other Chrome bugs this year that attackers were actively exploiting before the company had a patch for them.
In June, Google disclosed
CVE-2023-3079
, a so-called type confusion error in the V8 JavaScript engine in Chrome that an attacker could exploit via a specially crafted HTML page. Google disclosed the other two zero-days in April. One was an integer overflow issue in the Skia open source graphics library, tracked as
CVE-2023-2136
, and the other is
CVE-2023-2033
, also a type confusion error in V8 that an attacker can exploit via a malicious HTML page. Threat actors were actively exploiting all three vulnerabilities at the time of patching.

Last News

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Chrome Flags Third Zero-Day This Month Thats Tied to Spying Exploits