Google Rushes to Patch New Zero-Day Exploited by Spyware Vendor – Source: www.securityweek.com

Google has rushed to patch another Chrome zero-day vulnerability exploited by a commercial spyware vendor. 

The internet giant announced on Tuesday that the stable channel of Chrome for Windows, macOS and Linux has been updated to version 117.0.5938.132.

The latest update patches 10 vulnerabilities, three of which have been highlighted by the company in its advisory.

The most important vulnerability, tracked as CVE-2023-5217, has been described as a “heap buffer overflow in vp8 encoding in libvpx”. The issue was reported to the Chrome team by Clement Lecigne of Google’s Threat Analysis Group (TAG) just two days before the patch was released.

Google warned that CVE-2023-5217 has been exploited in the wild.

While the advisory does not provide any information on the attacks exploiting the zero-day, Google TAG researcher Maddie Stone revealed that it has been leveraged by a commercial surveillance vendor. 

The news comes shortly after Google TAG and the University of Toronto’s Citizen Lab group released details on an operation whose goal was to deliver a piece of spyware known as Predator to an opposition politician in Egypt. 

An analysis showed that the threat actor has used various zero-days and man-in-the-middle (MitM) attacks to deliver spyware to both Android and iOS devices. 

CVE-2023-5217 is the sixth Chrome zero-day patched by Google in 2023, after CVE-2023-4762, CVE-2023-4863, CVE-2023-3079, CVE-2023-2033, and CVE-2023-2136. 

The latest Chrome update also patches CVE-2023-5186 and CVE-2023-5187, two high-severity use-after-free bugs in the Passwords and Extensions components.

Related: Federal Agencies Instructed to Patch New Chrome Zero-Day

Related: Exploitation of Recent Chrome Zero-Day Linked to Israeli Spyware Company

Related: Google Attempts to Explain Surge in Chrome Zero-Day Exploitation