Google has rolled out a security update for a critical Chrome zero-day vulnerability (CVE-2023-4863) exploited in the wild.
About the vulnerability (CVE-2023-4863)
CVE-2023-4863 is a critical heap buffer overflow vulnerability in the component that handles WebP, a raster graphics file format that replaces JPEG, PNG, and GIF file formats.
Buffer overflows can lead to crashes, infinite loops, and can be used to execute arbitrary code.
“The Stable and Extended stable channels has been updated to 116.0.5845.187 for Mac and Linux and 116.0.5845.187/.188 for Windows, which will roll out over the coming days/weeks,” Google has informed.
Chrome generally applies the update automatically when users close and reopen the browser. If the browser hasn’t been closed in a while, users will see a colored icon indicating a pending update. Mac users can also set up automatic browser updates.
Exploitation
Google says that CVE-2023-4863 has been actively exploited in the wild and has been reported by Apple Security Engineering and Architecture (SEAR) and The Citizen Lab at The University of Torontoʼs Munk School.
Google has not yet revealed details about the attack, but urges users to update the browser as soon as possible.
Citizen Lab has recently detected two zero-day vulnerabilities (CVE-2023-41064, CVE-2023-41061) affecting Apple devices. The vulnerabilities have been chained together to deliver NSO Group’s Pegasus spyware to specific high-risk targets.
Apple has fixed one or both of the vulnerabilities in newer as well as older iOS, iPadOS, macOS and watchOS versions, and has advised individuals facing an elevated risk of targeted cyberattacks to activate Lockdown Mode.