Governance & Risk Management , Patch Management

Chrome Patches 0-Day Exploited by Commercial Spyware Vendor

Limited Details Disclosed But Google Said It Is a Heap-Based Buffer Overflow Bug
Chrome Patches 0-Day Exploited by Commercial Spyware Vendor
Image: Shutterstock

Google rolled out an urgent Chrome browser security update to address a zero-day actively exploited by a commercial spyware vendor. The high-severity bug is the fifth zero-day patched by Chrome this year.

See Also: Cyber Hygiene and Asset Management Perception vs. Reality

The tech giant in a Wednesday update announced a fix for the vulnerability, tracked as CVE-2023-5217.

The flaw is a heap-based buffer overflow issue in the VP8 compression format within libvpx library. Libvpx is a free software video codec library from Google and the Alliance for Open Media, also known as AOMedia. It is the VP8 video encoder for WebM, an open-for-all, royalty-free media file format that reduces bitrate while retaining the visual quality.

A heap-based buffer overflow occurs when a program writes more data to a dynamically allocated portion of memory than the buffer can hold. Attackers can take advantage of this to exploit the system by manipulating data or creating a pointer to run malicious code.

Google did not provide further details about the vulnerability, only stating that it is aware of an exploit in the wild. "Access to bug details and links may be kept restricted until a majority of users are updated with a fix," Google said. "We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven't yet fixed."

Google credited the discovery to Clément Lecigne of the company's Threat Analysis Group. Maddie Stone, a researcher at Google TAG, tweeted the flaw was "in use by a commercial surveillance vendor."

The market for commercial spyware has boomed over the past decade. At least 30 vendors now offer tools designed to remotely retrieve smartphone text messages, surreptitiously activate microphones and obtain precise locations. Despite assurances from multiple vendors that they have strong controls in place to prevent their tools from being used inappropriately, civil society activists say such tools are regularly employed by authoritarian or repressive regimes (see: Apple Fixes Bugs That Infected Egyptian Politician's iPhone).

The patch comes just weeks after Chrome fixed another zero-day being exploited in the wild - CVE-2023-4863 (see: Google Fixes Chrome Zero-Day Exploited in the Wild). The previous bug was also a buffer overflow vulnerability.


About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.