GOOGLE FIXED THE FIFTH CHROME ZERO-DAY OF 2023

GOOGLE FIXED THE FIFTH CHROME ZERO-DAY OF 2023

Pierluigi Paganini
September 28, 2023

Google released security updates to address a new actively exploited zero-day vulnerability, tracked as CVE-2023-5217, in the Chrome browser.

Google on Wednesday released security updates to address a new actively exploited zero-day flaw in the Chrome browser which is tracked as CVE-2023-5217.

The CVE-2023-5217 is a high-severity heap buffer overflow that affects vp8 encoding in libvpx. The vulnerability was discovered by Clément Lecigne from Google’s Threat Analysis Group on 2023-09-25, a circumstance that suggests it was exploited by a nation-state actor or by a surveillance firm.

“High CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx. Reported by Clément Lecigne of Google’s Threat Analysis Group on 2023-09-25″ reads the advisory published by Google. “Google is aware that an exploit for CVE-2023-5217 exists in the wild.”

Google TAG researcher Maddie Stone highlighted that the issue was addressed in only two days after the initial discovery, she also confirmed the exploitation by a commercial spyware vendor.

An attacker can trigger the flaw to cause the application to crash or to execute arbitrary code.

This is the fifth actively exploited zero-day vulnerability in Chrome addressed by Google this year, the other ones are:

• CVE-2023-2033 (CVSS score: 8.8) – Type Confusion in V8
• CVE-2023-2136 (CVSS score: 9.6) – Integer overflow in the Skia graphics library
• CVE-2023-3079 (CVSS score: 8.8) – Type Confusion in V8
• CVE-2023-4863 (CVSS score: 8.8) – Heap buffer overflow in WebP

Users are recommended to upgrade to Chrome version 117.0.5938.132 for Windows, macOS, and Linux to address the zero-day.

Google also addressed this month the following vulnerabilities in the Chrome browser:

• [$TBD][1478889] High CVE-2023-5186: Use after free in Passwords. Reported by [pwn2car] on 2023-09-05
• [$2000][1475798] High CVE-2023-5187: Use after free in Extensions. Reported by Thomas Orlita on 2023-08-25

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Chrome)

---

---

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: 2023, 2023 Google, Breaking News, chrome, CVE-2023-5217, fifth, fixed, Google, hacking, hacking news, information security news, IT Information Security, Paganini, Pierluigi, Security, Security Affairs, Security News, September, zeroday