Another Chrome security issue is exploited in the wild (and affecting all Chromium-based browsers)
Google released a security update for a security vulnerability in Google Chrome that is exploited in the wild. It is the fifth 0-day vulnerability in Google Chrome in 2023. Other Chromium-based browsers are also affected by the security issue.
Chrome users should install the update immediately to protect their browser from potential attacks. Selecting Menu > Help > About Google Chrome displays the installed version on desktop systems. Chrome performs an update check whenever the page is opened to download and install any update. This happens automatically, but a restart is required to complete the update.
The browser should list the following version after the update: 117.0.5938.132 for all supported operating systems.
Chrome's 5th 0-day security vulnerability
The release notes provide little information on the vulnerability. It is identified as CVE-2023-5217 and has a severity rating of high. The heap buffer overflow issue in VP8 encoding in libvpx was reported by Clément Lecigne of Google's Threat Analysis Group on September 25, 2023. Google notes that the issue is exploited in the wild, but does not provide specifics.
Another member of Google's Threat Analysis Group revealed on Twitter that "a commercial surveillance vendor" was using the vulnerability. No specifics are provided, but it suggests that this vendor could use the vulnerability to install spyware on user devices. It is unclear at this point how the vulnerability is exploited and whether it requires an active action on part of the user or not.
Google patched two additional security issues in the Chrome release. Both are use after free vulnerabilities; one in passwords, the other in extensions. Both security issues are rated as high and have the assigned CVEs CVE-2023-5186 and CVE-2023-5187.
The security issues affect Google Chrome on Android as well. Google released an update for Chrome for Android, which brings the version to 117.0.5938.140 on the platform. Android offers no option to speed up the installation of the update, as it is centrally distributed via Google Play.
Other Chromium-based web browsers, such as Microsoft Edge, Brave, Opera or Vivaldi, are also affected by the vulnerabilities. Expect updates for these browsers, some may have been released already.
The security update is the second 0-day issue that Google fixed in September. It released another patch on September 12th that addressed a severe vulnerability in Chrome's handling of webp images.Advertisement