"Google Rushes to Patch New Zero-Day Exploited by Spyware Vendor"

Google has recently rushed to patch another Chrome zero-day vulnerability exploited by a commercial spyware vendor.  Google announced that Chrome for Windows, macOS, and Linux has been updated to version 117.0.5938.132.  The latest update patches 10 vulnerabilities, three of which have been highlighted by the company in its advisory.  According to Google, the most critical vulnerability, tracked as CVE-2023-5217, is a "heap buffer overflow in vp8 encoding in libvpx." Clement Lecigne of Google's Threat Analysis Group (TAG) reported the issue to the Chrome team just two days before the patch was released.  Google warned that CVE-2023-5217 has been exploited in the wild.  While the advisory does not provide any information on the attacks exploiting the zero-day, Google TAG researcher Maddie Stone revealed that it had been leveraged by a commercial surveillance vendor.  CVE-2023-5217 is the sixth Chrome zero-day patched by Google in 2023, after CVE-2023-4762, CVE-2023-4863, CVE-2023-3079, CVE-2023-2033, and CVE-2023-2136.  Google noted that the latest Chrome update also patches CVE-2023-5186 and CVE-2023-5187, two high-severity use-after-free bugs in the Passwords and Extensions components.

 

SecurityWeek reports: "Google Rushes to Patch New Zero-Day Exploited by Spyware Vendor"

Submitted by Adam Ekwall on