Google has released an emergency security update for Chrome users, just days after Apple issued a critical patch for iOS 16.6.1. Both updates address zero-day vulnerabilities that could allow hackers to execute arbitrary code on the affected devices.
What are the zero-day vulnerabilities?
A zero-day vulnerability is a software flaw that is unknown to the developers and the public, but is exploited by malicious actors before a patch is available. Zero-day attacks are very dangerous, as they can compromise systems without any warning or detection.
The iOS 16.6.1 update fixed two zero-day vulnerabilities, tracked as CVE-2023-41064 and CVE-2023-41061, that were used in an attack called BLASTPASS. According to Citizen Lab, a research group at the University of Toronto, BLASTPASS leveraged PassKit attachments containing malicious images to execute code on iPhones and iPads. Apple said it was aware of a report that these issues may have been actively exploited.
The Chrome zero-day vulnerability, tracked as CVE-2023-4863, is a heap buffer overflow issue in the WebP image format. WebP is a modern image format that provides superior compression and quality for web images. However, a maliciously crafted WebP image could trigger a memory corruption error in Chrome and allow an attacker to run code on the browser. Google said it was aware of reports that this issue exists in the wild.
How are the vulnerabilities related?
It is not clear if the two sets of vulnerabilities are related, but there are some coincidences that suggest a possible connection. First, both vulnerabilities involve image processing and could enable zero-click attacks, meaning that the user does not need to interact with anything to trigger the exploit. Second, both vulnerabilities were reported to Google and Apple by the same entities: the Apple Security Engineering and Architecture team and Citizen Lab. Third, both vulnerabilities were disclosed within days of each other, suggesting a coordinated effort to patch them.
However, these are only speculations and there is no official confirmation from either company about the origin or the scope of the attacks. It is possible that the vulnerabilities were discovered independently by different researchers or hackers, and that they were coincidentally reported at the same time.
How to protect yourself from the vulnerabilities?
The best way to protect yourself from these vulnerabilities is to update your devices as soon as possible. Apple has already released iOS 16.6.1 for iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later. You can check for updates by going to Settings > General > Software Update on your device.
Google has also released Chrome 94.0.4606.61 for Windows, Mac, and Linux users. You can update your browser by going to Settings > Help > About Google Chrome on your computer. Alternatively, you can download the latest version from Google’s website.
It is important to keep your devices updated with the latest security patches, as hackers are constantly looking for new ways to exploit software flaws. By updating your devices regularly, you can reduce the risk of falling victim to zero-day attacks.