Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Google Rushes to Patch New Zero-Day Exploited by Spyware Vendor

Google has rushed to patch a new Chrome zero-day vulnerability, tracked as CVE-2023-5217 and exploited by a spyware vendor. 

Chrome Google incognito” mode

Google has rushed to patch another Chrome zero-day vulnerability exploited by a commercial spyware vendor. 

The internet giant announced on Tuesday that the stable channel of Chrome for Windows, macOS and Linux has been updated to version 117.0.5938.132.

The latest update patches 10 vulnerabilities, three of which have been highlighted by the company in its advisory.

The most important vulnerability, tracked as CVE-2023-5217, has been described as a “heap buffer overflow in vp8 encoding in libvpx”. The issue was reported to the Chrome team by Clement Lecigne of Google’s Threat Analysis Group (TAG) just two days before the patch was released.

Google warned that CVE-2023-5217 has been exploited in the wild.

While the advisory does not provide any information on the attacks exploiting the zero-day, Google TAG researcher Maddie Stone revealed that it has been leveraged by a commercial surveillance vendor. 

The news comes shortly after Google TAG and the University of Toronto’s Citizen Lab group released details on an operation whose goal was to deliver a piece of spyware known as Predator to an opposition politician in Egypt. 

An analysis showed that the threat actor has used various zero-days and man-in-the-middle (MitM) attacks to deliver spyware to both Android and iOS devices. 

Advertisement. Scroll to continue reading.

CVE-2023-5217 is the sixth Chrome zero-day patched by Google in 2023, after CVE-2023-4762, CVE-2023-4863, CVE-2023-3079, CVE-2023-2033, and CVE-2023-2136

The latest Chrome update also patches CVE-2023-5186 and CVE-2023-5187, two high-severity use-after-free bugs in the Passwords and Extensions components.

Related: Federal Agencies Instructed to Patch New Chrome Zero-Day

Related: Exploitation of Recent Chrome Zero-Day Linked to Israeli Spyware Company

Related: Google Attempts to Explain Surge in Chrome Zero-Day Exploitation

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.