Google Fixes Chrome Zero-Day Exploited in the Wild – Source: www.databreachtoday.com

Endpoint Security
,
Governance & Risk Management
,
Vulnerability Assessment & Penetration Testing (VA/PT)

Chrome Bug Caused by Heap Buffer Overflow Issue in the WebP Image Format

Mihir Bagwe (MihirBagwe) •
September 12, 2023    

Google released a fix on Monday for a Chrome zero-day. Like the three before it, this fourth Chrome zero-day vulnerability found in 2023 allows an attacker to remotely target a vulnerable version of the browser.

See Also: Live Webinar | Unmasking Pegasus: Understand the Threat & Strengthen Your Digital Defense

An attacker could exploit the vulnerability to execute arbitrary code, mishandle the data in the browser’s memory and eventually crash the browser on a victim’s device. The flaw stems from a heap buffer overflow issue in the WebP, an image format championed by Google as a high-quality compression method.

Tracked as CVE-2023-4863, the vulnerability is being exploited in the wild, Google said. Mozilla on Tuesday also released a patch to fix the flaw for the Firefox browser.

Researchers at Apple Security Engineering and Architecture and The Citizen Lab at The University of Toronto’s Munk School reported the zero-day flaw to Chrome developers Sept. 6.

The same teams of researchers last week also found and fixed a zero-click exploit – called BlastPass – that was used to deliver the Pegasus advanced spyware app to at least one iPhone carried by an individual employed at a Washington, D.C.-based civil society organization (see: Apple Fixes Zero-Click Bugs Exploited by NSO Group’s Spyware).

Potential links between the two could not be established as Apple and Citizen Lab did not immediately respond to Information Security Media Group’s request for information.

Safe Browsing Gets an Upgrade

The development of the Chrome zero-day comes as Google further tightens its Chrome security features. Chrome turns 15 years old this month, and the tech giant wants to offer a browser that is fast, reliable, secure and easy to use. Last week, Google introduced a host of upgrades including one to its Safe Browsing feature that automatically flags dangerous sites and files.

The Safe Browsing feature previously worked by checking every site visit against a locally stored list of known bad sites that is updated every 30 to 60 minutes. “But phishing domains have gotten more sophisticated – and today, 60% of them exist for less than 10 minutes, making them difficult to block,” Google said.

The tech giant is now upgrading the Standard protection mode to Safe Browsing to block these malicious sites the moment they launch. This means Chrome will now check sites against Google’s known bad sites in real-time – without sharing the user’s browsing history.

The company estimates 25% improved protection from malware and phishing threats due to the shortened time between identification and prevention of these threats. The update is set to roll out to Chrome users in the coming weeks.

The Safe Browsing’s Enhanced Protection mode can be activated for additional protection, which Google says “continues to block new attacks with AI, provide a deep scan for files and offer extra protection from malicious Chrome extensions.”