Google has patched the fifth Chrome zero-day vulnerability exploited in attacks since the start of the year in emergency security updates released today.
“Google is aware that an exploit for CVE-2023-5217 exists in the wild,” the company revealed in a security advisory published on Wednesday.
The security vulnerability is addressed in Google Chrome 117.0.5938.132, rolling out worldwide to Windows, Mac, and Linux users in the Stable Desktop channel.
While the advisory says it will likely take days or weeks until the patched version reaches the entire user base, the update was immediately available when BleepingComputer checked for updates.
The web browser will also auto-check for new updates and automatically install them after the next launch.
Reported by Google TAG
The high-severity zero-day vulnerability (CVE-2023-5217) is caused by a heap buffer overflow weakness in the VP8 encoding of the open-source libvpx video codec library, a flaw whose impact ranges from app crashes to arbitrary code execution.
The bug was reported by Google Threat Analysis Group (TAG) security researcher Clément Lecigne on Monday, September 25.
Google TAG researchers are known for often finding and reporting zero-days abused in targeted spyware attacks by government-sponsored threat actors and hacking groups targeting high-risk individuals such as journalists and opposition politicians.
For instance, with Citizen Lab researchers, Google TAG revealed on Friday that three zero-days patched by Apple last Thursday were used to install Cytrox’s Predator spyware between May and September 2023.
While Google said today that the CVE-2023-5217 zero-day had been exploited in attacks, the company has yet to share more information regarding these incidents.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Google said. “We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.”
As a direct result, Google Chrome users will have enough time to update their browsers as a preemptive measure against potential attacks.
This proactive approach can help mitigate the risk of threat actors creating their own exploits and deploying them in real-world scenarios, particularly as more technical details become available.
Google fixed another zero-day (tracked as CVE-2023-4863) exploited in the wild two weeks ago, the fourth one since the start of the year.
While first marking it as a Chrome flaw, the company later assigned another CVE (CVE-2023-5129) and a maximum 10/10 severity rating, tagging it as a critical security vulnerability in libwebp (a library used by a large number of projects, including Signal, 1Password, Mozilla Firefox, Microsoft Edge, Apple’s Safari, and the native Android web browser).