Google Patches Chrome Zero-Day Exploited by Spyware Vendor
The vulnerability came to light when Clement Lecigne from Google’s Threat Analysis Group (TAG) reported it to the Chrome team just two days before the release of the patch.
Google has acknowledged that the vulnerability, identified as CVE-2023-5217 and characterized as a “heap buffer overflow in vp8 encoding in libvpx,” has been actively exploited in the wild.
Google’s advisory provides limited information about the attacks using this zero-day, stating, “Access to bug details and links may be kept restricted until a majority of users are updated with a fix.”
While Google TAG has not provided detailed information, TAG researcher Maddie Stone confirmed that the Chrome vulnerability had been exploited to deploy spyware.
The fix for this vulnerability is included in Google Chrome version 117.0.5938.132, which is currently rolling out to Windows, Mac, and Linux users in the Stable Desktop channel.
Last week, Google TAG disclosed that Apple had patched three zero-day vulnerabilities aimed at blocking an exploit used to install Predator spyware on the phone of an Egyptian presidential candidate.
Predator is a spyware developed by the controversial commercial spyware vendor Cytrox, capable of extracting data from a victim’s phone once it’s installed.
This emergency patch release for Chrome follows Google’s recent resolution of another actively exploited zero-day, initially misidentified as a Chrome vulnerability.
It was later reclassified as a flaw in the open-source libwebp library, used for encoding and decoding WebP format images.
Security experts have linked this vulnerability, rated with a maximum severity score of 10/10, to the zero-click iMessage exploit chain known as BLASTPASS, utilized to deploy the NSO Group’s Pegasus spyware on compromised iPhones.