Security news that informs and inspires

Google Fixes Critical Chrome Zero Day


Google is warning of a zero day vulnerability in its Chrome browser, which is being fixed as part of updates that will be pushed out in the coming days or weeks for Mac, Linux and Windows.

Google said the flaw (CVE-2023-4863) is a heap buffer overflow bug that exists in WebP, which is an image file format developed by Google. As is normal for its security advisories, Google did not disclose further details on the flaw or exploits.

“Google is aware that an exploit for CVE-2023-4863 exists in the wild,” according to Google’s advisory on Monday. “Access to bug details and links may be kept restricted until a majority of users are updated with a fix.”

Google said that the flaw was reported by Apple’s Security Engineering and Architecture team and the Citizen Lab team on Sept. 6. Separately, on Sept. 7, Apple released security updates that address two actively exploited vulnerabilities in various versions of macOS, iOS, watchOS and iPadOS, CVE-2023-41061 and CVE-2023-41064.

The discovery of those Apple flaws was the result of an investigation by Citizen Lab, which said that they are part of an exploit chain called BLASTPASS, which is capable of compromising iPhones running on the latest version of iOS (16.6) without any victim interaction.

Google's fixes this week have been issued in versions 116.0.5845.187 for Mac and Linux and 116.0.5845.187/.188 for Windows for the Stable and Extended stable channels.

Google has fixed other zero day flaws in Chrome over the past year, including a high-severity type confusion error (CVE-2023-3079) in Google’s V8 open source JavaScript and WebAssembly engine, which was patched in June; and a high-severity integer overflow flaw (CVE-2023-2136) in Skia, an open-source graphics library that serves as the graphics engine for Chrome, ChromeOS and Android, which was fixed in April.