Google has released an emergency security update for its Chrome browser to fix a critical zero-day vulnerability that is being actively exploited by hackers. The flaw, tracked as CVE-2023-5217, is a heap-based buffer overflow in the VP8 video compression format used by libvpx, a free software video codec library from Google and the Alliance for Open Media (AOMedia).
What is a zero-day vulnerability and why is it dangerous?
A zero-day vulnerability is a software bug that is unknown to the developers and the public, but is known and exploited by hackers. It is called a zero-day because there is no time to fix it before it is used for malicious purposes. Hackers can use zero-day vulnerabilities to compromise systems, steal data, install malware, or perform other malicious actions.
A zero-day exploit is a piece of code or a tool that takes advantage of a zero-day vulnerability. Hackers can use zero-day exploits to attack vulnerable systems before they are patched. Zero-day exploits are often sold or traded on the dark web or used by state-sponsored actors for cyber espionage or sabotage.
How does CVE-2023-5217 affect Chrome users?
CVE-2023-5217 is a heap-based buffer overflow in the VP8 compression format in libvpx. A buffer overflow occurs when a program tries to write more data than the allocated memory space can hold, causing the data to overflow into adjacent memory regions. This can result in program crashes, data corruption, or arbitrary code execution.
VP8 is a video compression format that is widely used on the web, especially for WebRTC applications such as video conferencing. Libvpx is a library that implements VP8 and other video codecs. Chrome uses libvpx to decode VP8 video streams.
CVE-2023-5217 allows an attacker to craft a malicious VP8 video stream that can trigger a buffer overflow in libvpx and execute arbitrary code on the target system. This means that an attacker can potentially take over the system by simply sending or displaying a malicious video to a Chrome user.
How was CVE-2023-5217 discovered and exploited?
CVE-2023-5217 was discovered and reported by Clément Lecigne of Google’s Threat Analysis Group (TAG) on September 25, 2023. TAG is a team of security researchers that tracks and investigates advanced persistent threats (APTs), which are sophisticated cyberattacks sponsored by nation-states or other actors.
According to Maddie Stone, another researcher from TAG, CVE-2023-5217 has been exploited by a commercial spyware vendor to target high-risk individuals. Stone did not name the vendor or the victims, but said that the exploit was delivered via email attachments or malicious links.
CVE-2023-5217 is the fifth Chrome zero-day vulnerability that has been patched this year. The previous four were:
- CVE-2023-2033: A type confusion in V8, Chrome’s JavaScript engine.
- CVE-2023-2136: An integer overflow in Skia, Chrome’s graphics library.
- CVE-2023-3079: Another type confusion in V8.
- CVE-2023-4863: A heap buffer overflow in WebP, Chrome’s image format.
How can Chrome users protect themselves from CVE-2023-5217?
Google has released Chrome version 117.0.5938.132 for Windows, macOS, and Linux to address CVE-2023-5217 and other security issues. Users are advised to update their browser as soon as possible to mitigate the risk of exploitation.
Users can check their Chrome version by clicking on the three-dot menu icon at the top right corner of the browser, then selecting Help > About Google Chrome. If an update is available, it will be downloaded and installed automatically.
Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi should also apply the latest updates from their respective vendors, as they may share the same vulnerability.