Google has rushed to patch a zero-day vulnerability in Chrome that was exploited by a business spyware and adware vendor.
The vulnerability was reported to the Chrome workforce by Clement Lecigne of Google’s Menace Evaluation Group (TAG) simply two days earlier than the patch was launched. Google stated it’s conscious that an exploit for the vulnerability, tracked as CVE-2023-5217 and described as a “heap buffer overflow in vp8 encoding in libvpx”, exists within the wild.
Google’s advisory doesn’t present any additional details about assaults exploiting the zero-day. “Entry to bug particulars and hyperlinks could also be stored restricted till a majority of customers are up to date with a repair,” the corporate stated.
Google TAG didn’t instantly reply to information.killnetswitch’s questions, however TAG researcher Maddie Stone stated in a publish on X, beforehand Twitter, that the Chrome vulnerability had been exploited to put in spyware and adware.
The vulnerability is mounted in Google Chrome 117.0.5938.132, which is rolling out now to Home windows, Mac, and Linux customers within the Steady Desktop channel.
Simply final week, Google TAG revealed that three zero-days not too long ago patched by Apple had been pushed out to dam an exploit used to plant the Predator spyware and adware on the cellphone of an Egyptian presidential candidate. Predator is a spyware and adware developed by Cytrox, a controversial business spyware and adware vendor, that may steal the contents of a sufferer’s cellphone as soon as put in.
The discharge of an emergency patch for Chrome comes simply weeks after Google mounted one other actively exploited zero-day that that was found by Apple’s Safety Engineering and Structure (SEAR) workforce and Citizen Lab, a digital rights group at The College of Toronto that has investigated spyware and adware for greater than a decade.
This vulnerability was initially misidentified as a Chrome vulnerability, however Google has since assigned it to the open-source libwebp library used to encode and decode pictures in WebP format. This reclassification has ramifications for quite a few and fashionable apps utilizing libwebp, which incorporates 1Password, Firefox, Microsoft Edge, Safari and Sign.
Safety researchers have linked the vulnerability, which was given a most 10/10 severity ranking, to the zero-click iMessage exploit chain, named BLASTPASS, used to deploy the NSO Group’s Pegasus spyware and adware on compromised iPhones.
