A critical security vulnerability has been unearthed in Google’s web browser. In response, the Mountain View company swiftly released a security patch to address Chrome’s fifth zero-day flaw this year.
Google has recently remedied the fifth zero-day vulnerability identified in Chrome. The Mountain View company expedited an update for the browser following the detection of a significant breach actively exploited by hackers. Clément Lecigne, a security engineer in Google’s Threat Analysis Group, was the one to expose this security lapse.
An issue with a video codec library
Listed as CVE-2023-5217, this high-profile vulnerability is believed to affect libvpx, a free video codec library developed by Google and the Alliance for Open Media, used for encoding videos in VP8 and VP9 formats. The heap overflow problem was detected specifically in the VP8 video encoding module. Hackers can exploit this vulnerability to execute arbitrary code, potentially gaining control of the targeted machine.
As reported by Bleeping Computer, Maddie Stone, a security researcher at the Google Threat Analysis Group, indicated on Twitter that the CVE-2023-5217 zero-day flaw had been utilized by a surveillance software publisher to install cyberespionage tools.
As is customary, Google has provided only the essential details regarding this new zero-day flaw.
Access to bug details and links may be restricted until a majority of users are up to date with a fix. We will also maintain the restrictions if the bug exists in a third-party library that other projects depend on but which has not yet been fixed,” simply indicated the Mountain View firm.
Here is a high-level summary covering some key points about zero-day vulnerabilities in Google Chrome:
A zero-day vulnerability is a software security flaw that is unknown to the software vendor and can be exploited by attackers before the vendor becomes aware of it and releases a patch. Google Chrome, being one of the most popular web browsers globally, is an attractive target for zero-day exploits.
Some notable zero-day vulnerabilities found in Chrome in the past include:
- CVE-2019-13720 – A use-after-free vulnerability in Chrome’s audio component that could lead to code execution. This was exploited in the wild in 2019 before Google released a patch.
- CVE-2021-37975 – A heap buffer overflow vulnerability that could also enable code execution. This was fixed by Google in October 2021 after reports of exploitation.
- CVE-2022-2294 – A type confusion issue in Chrome’s V8 JavaScript engine reported in June 2022. This could allow arbitrary code execution and was deemed to be an “active exploit” in the wild.
The risks of zero-days in Chrome and other browsers are high given their ubiquitous use. Successful exploits can lead to computer takeovers, data theft, surveillance and more. Chrome’s auto-update mechanism helps protect users, but delays between exploit reports and patched releases gives attackers a window of opportunity.
Google invests a great deal in Chrome security and has implemented mitigations like site isolation and sandboxing to limit damage from potential zero-days. However they likely remain an ongoing challenge, as Chrome is faced with frequent reports of vulnerabilities from security researchers, bug bounty hunters and others that require ongoing triaging and patching.
Overall, zero-days represent a complex challenge in the world of browser security. Google and other vendors take them seriously but they are difficult to fully prevent. Ongoing threats like zero-days emphasize the need for multi-layered security strategies on the user, enterprise and vendor side.
Update Chrome right away
The CVE-2023-5217 flaw has been addressed in Chrome version 117.0.5937.132 on Windows, macOS, and Linux. If the browser is set to install the update automatically, it may not do so immediately. However, you can easily force its installation. To do this, follow these steps:
Step 1: Launch Google Chrome on your computer.
Step 2: Click on the three vertical dots in the top-right corner of the browser window. This will open the Chrome menu.
Step 3: From the menu, hover your mouse over “Help,” and then select “About Google Chrome.”
Step 4: A new tab will open, showing you the current version of Google Chrome. If a new update is available, Chrome will automatically start downloading and installing it.
Step 5: Once the update is downloaded, you’ll see a button to “Relaunch” Chrome. Click on it to apply the update.
Step 6: After Chrome restarts, you’ll have the latest version installed.
That’s it! By following these steps, you should be able to update Google Chrome successfully. If you have any further questions, feel free to ask.
