(CTN News) – As part of its emergency security updates released today, Google has patched the fifth Chrome zero-day vulnerability exploited in attacks since the beginning of the year.
An exploit for CVE-2023-5217 is known to exist in the wild, Google revealed in a security advisory published on Wednesday.
Google Chrome 117.0.5938.132, available worldwide in the Stable Desktop channel, addresses the security vulnerability.
As stated in the advisory, it will likely take days or weeks for the patched version to reach the entire user base, however when BleepingComputer checked for updates, the update was available immediately.
As soon as the web browser is launched, it will automatically check for and install any new updates available.
Attacks Chrome using spyware have exploited this vulnerability
There is a high-severity zero-day vulnerability (CVE-2023-5217) in the VP8 encoding of the open-source libvpx video codec library, which could lead to app crashes and arbitrary code execution.
On September 25, Google Threat Analysis Group (TAG) security researcher Clément Lecigne reported the bug.
The Google TAG researchers are known for finding and reporting zero-day vulnerabilities that have been exploited in targeted spyware attacks by state-sponsored threat actors and hacking groups targeting high-risk individuals such as journalists and opposition politicians.
It was revealed today by Google TAG’s Maddie Stone that the zero-day vulnerability CVE-2023-5217 had been exploited to install spyware on a computer.
Google TAG revealed on Friday that Cytrox’s Predator spyware was installed between May and September 2023 using three zero-day vulnerabilities patched by Apple last Thursday.
In spite of Google’s announcement today that the CVE-2023-5217 zero-day had been exploited in attacks, the company has yet to provide further information.
According to Google, access to bug details and links may be restricted until a majority of users have been updated with a fix. “We will also retain restrictions if the bug exists in a third-party library on which other projects depend, but have not yet corrected.”
As a result, Google Chrome users will have enough time to update their browsers as a preventative measure against potential attacks.
If more technical details are made available, this proactive approach can help Chrome mitigate the risk of threat actors creating their own exploits and deploying them in real-world scenarios.
Earlier this week, Google fixed another zero-day exploit (CVE-2023-4863) that had been exploited in the wild. This is the fourth zero-day exploit since the start of the year.
While initially marking it as a Chrome flaw, the company later assigned another CVE (CVE-2023-5129) and a maximum 10/10 severity rating, tagging it as a critical security vulnerability in the libwebp library (used by many projects, including Signal, 1Password, Mozilla Firefox, Microsoft Edge, Apple’s Safari, and the Android browser).