Another Chrome security issue is exploited in the wild (and affecting all Chromium-based browsers)

Martin Brinkmann
Sep 28, 2023
Google Chrome
|
11

Google released a security update for a security vulnerability in Google Chrome that is exploited in the wild. It is the fifth 0-day vulnerability in Google Chrome in 2023. Other Chromium-based browsers are also affected by the security issue.

Chrome users should install the update immediately to protect their browser from potential attacks. Selecting Menu > Help > About Google Chrome displays the installed version on desktop systems. Chrome performs an update check whenever the page is opened to download and install any update. This happens automatically, but a restart is required to complete the update.

The browser should list the following version after the update: 117.0.5938.132 for all supported operating systems.

Chrome's 5th 0-day security vulnerability

chrome 117 security update

The release notes provide little information on the vulnerability. It is identified as CVE-2023-5217 and has a severity rating of high. The heap buffer overflow issue in VP8 encoding in libvpx was reported by Clément Lecigne of Google's Threat Analysis Group on September 25, 2023. Google notes that the issue is exploited in the wild, but does not provide specifics.

Another member of Google's Threat Analysis Group revealed on Twitter that "a commercial surveillance vendor" was using the vulnerability. No specifics are provided, but it suggests that this vendor could use the vulnerability to install spyware on user devices. It is unclear at this point how the vulnerability is exploited and whether it requires an active action on part of the user or not.

Google patched two additional security issues in the Chrome release. Both are use after free vulnerabilities; one in passwords, the other in extensions. Both security issues are rated as high and have the assigned CVEs CVE-2023-5186 and CVE-2023-5187.

The security issues affect Google Chrome on Android as well. Google released an update for Chrome for Android, which brings the version to 117.0.5938.140 on the platform. Android offers no option to speed up the installation of the update, as it is centrally distributed via Google Play.

Other Chromium-based web browsers, such as Microsoft Edge, Brave, Opera or Vivaldi, are also affected by the vulnerabilities. Expect updates for these browsers, some may have been released already.

The security update is the second 0-day issue that Google fixed in September. It released another patch on September 12th that addressed a severe vulnerability in Chrome's handling of webp images.

Summary
Another Chrome security issue is exploited in the wild (and affecting all Chromium-based browsers)
Article Name
Another Chrome security issue is exploited in the wild (and affecting all Chromium-based browsers)
Description
Google released a security update for a security vulnerability in Google Chrome that is exploited in the wild.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: «

Comments

  1. HT said on October 9, 2023 at 7:42 am
    Reply

    Finally found it, listed as “shutdown” option…HT

  2. HT said on October 2, 2023 at 8:44 pm
    Reply

    I updated to chrome OS version 117.0.5938.144 and have lost the ability to add trusted users in order to quick switch between users. The quick settings panel at the bottom right which appears when I click the time has completely changed so that the current user is not identified and there is nothing to click that allows me to add another user. I have searched online for information, with no success. Can you shed some light on this? Thanks, HT.

    1. Anonymous said on October 9, 2023 at 12:43 am
      Reply

      Answered my own question after hunting and pecking… HT

  3. chesscanoe said on September 29, 2023 at 12:01 am
    Reply

    To start to fix this problem I upgraded CHROME, as well as LIBREOFFICE to 7.6.2.1 . Several more applications will have to release fixes for their products as well.

    1. Chromium-Holeum said on September 29, 2023 at 8:11 am
      Reply

      You are mistaken: this is a different vulnerability. Not the one that affected LibreOfffice and Chrome ( previous time).
      Updating LibreOffice to version 7.6.2.1 does not close this vulnerability in any way (although, according to available information, this time applications that do not include JavaScript engine are not affected – so apparently only chromium-based browsers are vulnerable).

      1. Anonymous said on September 29, 2023 at 6:15 pm
        Reply

        Another buffer overflow, this time in VP8 video encoding:

        “The fact that a package depends on libvpx does not necessarily mean that it’d be vulnerable. The vuln is in VP8 encoding, so if something uses libvpx only for decoding, they have nothing to worry about. Firefox, Chrome (and Chromium-based) browsers, plus other things that expose VP8 encoding capabilities from libvpx to JavaScript (i.e. web browsers), seem to be at risk,” Will Dorman, senior principal analyst at Analygence.

  4. Mystique said on September 28, 2023 at 8:27 pm
    Reply

    Article Title: Another Chrome security issue is exploited in the wild (and affecting all Chromium-based browsers)
    Article URL: https://www.ghacks.net/2023/09/28/another-chrome-security-issue-is-exploited-in-the-wild-and-affecting-all-chromium-based-browsers/

    Maybe Martin is confused with another new exploit that he may be preparing an article for another issue which is being exploited that is limited to Chromium based browsers such as Chrome and Edge that involves stealing usernames and passwords.
    An article will probably be released about it soon but as far as webp sadly you are correct that it also affects many other browsers and software because they support webp. I believe even image viewers are at risk too.

    Say no to google and say no to webp!

  5. nicolaasjan said on September 28, 2023 at 6:06 pm
    Reply

    @Martin:

    It’s affecting Firefox as well:
    [https://www.mozilla.org/en-US/security/advisories/mfsa2023-44/]
    [https://archive.mozilla.org/pub/firefox/releases/118.0.1/]

  6. Cor Invictus said on September 28, 2023 at 4:41 pm
    Reply

    28.IX, 17:30, Europe, Brave is on 117.0.5938.92.
    P.S. This is getting annoying, btw!

    1. Dark Doom said on September 28, 2023 at 9:57 pm
      Reply

      @Cor Invictus

      If you still haven’t gotten the update (I don’t use Brave stable), you can go to https://github.com/brave/brave-browser/releases and find the Release v1.58.135 (Chromium 117.0.5938.140) which is in Pre-Release and sideload it in your phone and your computer.
      Better than waiting if you really want it.

    2. StalinHat said on September 28, 2023 at 5:03 pm
      Reply

      well, there is already a Brave Stable pre-release v1.58.134 (Chromium 117.0.5938.140) in Github releases, also a Beta with the same .140 version.
      Nightly got 118 yesterday and this post only talks about 117, so I will pretend 118 doesn’t need a ‘fix’.

      That means you can easily sideloaded this version and don’t wait for official releases.

      In fact, on android, if you install the APK from github you get to use chrome-urls like sync-internals and useful browser urls like that, so Github releases have a difference and an advantage over the google play version, and as far as I remember this applies to any version of Brave, not just Nightly.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.