Google has fixed a zero-day vulnerability in its Chrome browser that a commercial vendor has already been actively exploiting to drop surveillance software on target systems.
And it’s the third Chrome zero-day bug that Google has disclosed in recent days that’s connected to spying activity.
Memory Corruption Vulnerabilities
The new buffer overflow issue that Google is tracking as CVE-2023-5217 stems from the implementation of a video compression format in a software library that Chrome uses. The flaw is remotely exploitable and gives attackers a way to gain remote code execution on a target system by manipulating heap memory via a maliciously crafted HTML page. It is present in versions of Google Chrome prior to 117.0.5938.132 and versions of the libvpx library before 1.13.1.
Google’s Chrome team credited a member of the company’s Threat Analysis Group (TAG) for discovering and reporting the zero-day threat on Sept. 25. The company issued a patch for it on Sept. 27. In a post on X, formerly Twitter, TAG security researcher Maddie Stone described the bug as a zero-day that a commercial surveillance vendor was exploiting at the time of patch release.
Stone’s tweet did not identify the vendor by name, but in recent days Google has pointed to a surveillance vendor named Intellexa as abusing a previous Chrome zero-day (CVE-2023-4762) to drop a spying tool called Predator on target Android devices in Egypt. Google patched that bug on Sept. 5 after a security researcher notified the company about the threat.
A Flurry of Zero-Days
CVE-2023-5217 is actually the sixth zero-day vulnerability that Google has disclosed in Chrome this year. It is the third vulnerability the company has rushed to patch just this month that appears connected to spying activity.
On Sept. 11, Google disclosed a critical vulnerability identified as CVE-2023-4863 that affected Google Chrome versions for Windows, macOS, and Linux. The buffer overflow vulnerability, in a Chrome library related to image processing (libwebp), gave attackers a way to write arbitrary code on target systems using maliciously crafted HTML images. Google identified CVE-2023-4863 as a vulnerability that attackers were already exploiting, but did not offer any details.
Google discovered the vulnerability after researchers at Apple and the University of Toronto’s The Citizen Lab notified the company about finding a security issue in libwebp that an attacker had abused to drop the notorious Pegasus spyware on target iPhones. Though Google and Apple have assigned different CVEs — Apple’s identifier for the libwebp bug is CVE-2023-41064 — some security researchers have said it is likely that the bugs are essentially the same since they exist in the same library and have identical characteristics.
In addition to these three zero-days, Google disclosed three other Chrome bugs this year that attackers were actively exploiting before the company had a patch for them.
In June, Google disclosed CVE-2023-3079, a so-called type confusion error in the V8 JavaScript engine in Chrome that an attacker could exploit via a specially crafted HTML page. Google disclosed the other two zero-days in April. One was an integer overflow issue in the Skia open source graphics library, tracked as CVE-2023-2136, and the other is CVE-2023-2033, also a type confusion error in V8 that an attacker can exploit via a malicious HTML page. Threat actors were actively exploiting all three vulnerabilities at the time of patching.