Another Chrome security issue is exploited in the wild (and affecting all Chromium-based browsers)
Google released a security update for a security vulnerability in Google Chrome that is exploited in the wild. It is the fifth 0-day vulnerability in Google Chrome in 2023. Other Chromium-based browsers are also affected by the security issue.
Chrome users should install the update immediately to protect their browser from potential attacks. Selecting Menu > Help > About Google Chrome displays the installed version on desktop systems. Chrome performs an update check whenever the page is opened to download and install any update. This happens automatically, but a restart is required to complete the update.
The browser should list the following version after the update: 117.0.5938.132 for all supported operating systems.
Chrome's 5th 0-day security vulnerability
The release notes provide little information on the vulnerability. It is identified as CVE-2023-5217 and has a severity rating of high. The heap buffer overflow issue in VP8 encoding in libvpx was reported by Clément Lecigne of Google's Threat Analysis Group on September 25, 2023. Google notes that the issue is exploited in the wild, but does not provide specifics.
Another member of Google's Threat Analysis Group revealed on Twitter that "a commercial surveillance vendor" was using the vulnerability. No specifics are provided, but it suggests that this vendor could use the vulnerability to install spyware on user devices. It is unclear at this point how the vulnerability is exploited and whether it requires an active action on part of the user or not.
Google patched two additional security issues in the Chrome release. Both are use after free vulnerabilities; one in passwords, the other in extensions. Both security issues are rated as high and have the assigned CVEs CVE-2023-5186 and CVE-2023-5187.
The security issues affect Google Chrome on Android as well. Google released an update for Chrome for Android, which brings the version to 117.0.5938.140 on the platform. Android offers no option to speed up the installation of the update, as it is centrally distributed via Google Play.
Other Chromium-based web browsers, such as Microsoft Edge, Brave, Opera or Vivaldi, are also affected by the vulnerabilities. Expect updates for these browsers, some may have been released already.
The security update is the second 0-day issue that Google fixed in September. It released another patch on September 12th that addressed a severe vulnerability in Chrome's handling of webp images.
Finally found it, listed as “shutdown” option…HT
I updated to chrome OS version 117.0.5938.144 and have lost the ability to add trusted users in order to quick switch between users. The quick settings panel at the bottom right which appears when I click the time has completely changed so that the current user is not identified and there is nothing to click that allows me to add another user. I have searched online for information, with no success. Can you shed some light on this? Thanks, HT.
Answered my own question after hunting and pecking… HT
To start to fix this problem I upgraded CHROME, as well as LIBREOFFICE to 7.6.2.1 . Several more applications will have to release fixes for their products as well.
You are mistaken: this is a different vulnerability. Not the one that affected LibreOfffice and Chrome ( previous time).
Updating LibreOffice to version 7.6.2.1 does not close this vulnerability in any way (although, according to available information, this time applications that do not include JavaScript engine are not affected – so apparently only chromium-based browsers are vulnerable).
Another buffer overflow, this time in VP8 video encoding:
“The fact that a package depends on libvpx does not necessarily mean that it’d be vulnerable. The vuln is in VP8 encoding, so if something uses libvpx only for decoding, they have nothing to worry about. Firefox, Chrome (and Chromium-based) browsers, plus other things that expose VP8 encoding capabilities from libvpx to JavaScript (i.e. web browsers), seem to be at risk,” Will Dorman, senior principal analyst at Analygence.
Article Title: Another Chrome security issue is exploited in the wild (and affecting all Chromium-based browsers)
Article URL: https://www.ghacks.net/2023/09/28/another-chrome-security-issue-is-exploited-in-the-wild-and-affecting-all-chromium-based-browsers/
Maybe Martin is confused with another new exploit that he may be preparing an article for another issue which is being exploited that is limited to Chromium based browsers such as Chrome and Edge that involves stealing usernames and passwords.
An article will probably be released about it soon but as far as webp sadly you are correct that it also affects many other browsers and software because they support webp. I believe even image viewers are at risk too.
Say no to google and say no to webp!
@Martin:
It’s affecting Firefox as well:
[https://www.mozilla.org/en-US/security/advisories/mfsa2023-44/]
[https://archive.mozilla.org/pub/firefox/releases/118.0.1/]
28.IX, 17:30, Europe, Brave is on 117.0.5938.92.
P.S. This is getting annoying, btw!
@Cor Invictus
If you still haven’t gotten the update (I don’t use Brave stable), you can go to https://github.com/brave/brave-browser/releases and find the Release v1.58.135 (Chromium 117.0.5938.140) which is in Pre-Release and sideload it in your phone and your computer.
Better than waiting if you really want it.
well, there is already a Brave Stable pre-release v1.58.134 (Chromium 117.0.5938.140) in Github releases, also a Beta with the same .140 version.
Nightly got 118 yesterday and this post only talks about 117, so I will pretend 118 doesn’t need a ‘fix’.
That means you can easily sideloaded this version and don’t wait for official releases.
In fact, on android, if you install the APK from github you get to use chrome-urls like sync-internals and useful browser urls like that, so Github releases have a difference and an advantage over the google play version, and as far as I remember this applies to any version of Brave, not just Nightly.