Source: www.govinfosecurity.com – Author: 1
Governance & Risk Management
,
Patch Management
Limited Details Disclosed but Google said it is a Heap-based Buffer Overflow Bug
Mihir Bagwe (MihirBagwe) •
September 28, 2023
Google rolled out an urgent Chrome browser security update to address a zero day actively exploited by a commercial spyware vendor. The high-severity bug is the fifth zero day patched by Chrome this year.
See Also: Live Webinar | Cyber Resilience: Recovering from a Ransomware Attack
The tech giant in a Wednesday update announced a fix for the vulnerability, tracked as CVE-2023-5217.
The flaw is a heap-based buffer overflow issue in the VP8 compression format within libvpx library. Libvpx is a free software video codec library from Google and the Alliance for Open Media, also known as AOMedia. It is the VP8 video encoder for WebM, an open-for-all royalty-free media file format that reduces bitrate while retaining the visual quality.
A heap-based buffer overflow occurs when a program writes more data to a dynamically-allocated portion of memory than the buffer can hold. Attackers can take advantage of this to exploit the system by manipulating data or creating a pointer to run malicious code.
Google did not provide further details about the vulnerability, only stating that it is aware of an exploit in the wild. “Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Google said. “We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven’t yet fixed.”
Google credited the discovery to Clément Lecigne of the company’s Threat Analysis Group. Maddie Stone, also a researcher at Google TAG, tweeted the flaw was “in use by a commercial surveillance vendor.”
The market for commercial spyware has boomed over the past decade. At least 30 vendors now offer tools designed to remotely retrieve smartphone text messages, surreptitiously activate microphones and obtain precise locations. Despite assurances from multiple vendors that they have strong controls in place to prevent their tools from being used inappropriately, civil society activists say such tools are regularly employed by authoritarian or repressive regimes (see: Apple Fixes Bugs That Infected Egyptian Politician’s iPhone).
The patch comes just weeks after Chrome fixed another in-the-wild exploited zero-day – CVE-2023-4863 (see: Google Fixes Chrome Zero-Day Exploited in the Wild). The previous bug was a buffer overflow vulnerability, as well.
Original Post URL: https://www.govinfosecurity.com/chrome-patches-0-day-exploited-by-commercial-spyware-vendor-a-23191
Category & Tags: –
