As part of a security update on Wednesday, Google fixed a heap buffer overflow issue in its Chrome browser that is being exploited in the wild.
The high-severity flaw (CVE-2023-5217) exists in the vp8 encoding in libvpx, a free software video codec library developed by Google and the Alliance for Open Media. While details for the flaw - which was reported by Clement Lecigne with Google’s Threat Analysis Group (TAG) - have not been disclosed, Google TAG security researcher Maddie Stone on Wednesday said that the zero day is in use by a commercial surveillance vendor.
Google did not provide further information about these exploits, other than to say in its Wednesday release that it “is aware that an exploit for CVE-2023-5217 exists in the wild.”
There were also no further details mentioned on the specific spyware vendor using the Chrome flaw. Google TAG researchers, who often dig into zero day attacks from commercial spyware companies, also led the charge earlier this month in the discovery of Apple zero days that they said were used to deliver NSO Group's Pegasus spyware, as well as ones that were part of an exploit chain developed by commercial surveillance vendor Intellexa.
The heap overflow bug, meanwhile, is the second Chrome zero day fixed by Google this month. Earlier in September, Google warned of a heap buffer overflow bug that exists in WebP, which is an image file format developed by Google. The company has also fixed a high-severity type confusion error zero day (CVE-2023-3079) in June and a high-severity integer overflow flaw (CVE-2023-2136) in April. Though the number of actively exploited flaws being disclosed is ticking up over the year, the good news is that Google appears to be staying on top of these zero days; a patch for CVE-2023-5217 was developed within two days of Sept. 25, when it was first reported.
On Wednesday, Google also released nine other security fixes, including a high-severity use-after-free flaw (CVE-2023-5186) in Passwords and a high-severity use-after-free error (CVE-2023-5187) in Extensions. Google said its updates in version 117.0.5938.132 for Windows, Mac and Linux will roll out over the coming days/weeks.