top of page

Google Moves Quickly to Fix a Critical Chrome Flaw Being Used in the Real World - Update Now



Google released out-of-band security patches for its Chrome web browser on Monday to fix a major security flaw that it said was being used in the wild.


The problem, which has been given the number CVE-2023-4863, is a heap buffer overflow in the WebP image format that could let unauthorized code run or cause a crash.


On September 6, 2023, the flaw was found and reported by Apple Security Engineering and Architecture (SEAR) and the Citizen Lab at the Munk School at the University of Toronto.


The tech giant hasn't said much more about the hack yet, but it has said that it is "aware that an exploit for CVE-2023-4863 exists in the wild."


Since the beginning of the year, Google has fixed a total of four "zero-day" bugs in Chrome.


CVE-2023-2033 (8.8 on the CVSS) - Type Confusion in V8 CVE-2023-2136 (9.6 on the CVSS scale) - Skia integer overflow CVE-2023-3079 (CVSS score: 8.8) - Mixed Up Types in V8

This happened on the same day that Apple made fixes for CVE-2023-41064 available for the following devices and OS systems:


iOS 15.7.9 and iPadOS 15.7.9: iPhone 6s (all types), iPhone 7, iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation).

CVE-2023-41064 affects macOS Big Sur 11.7.10 and macOS Monterey 12.6.9 relates to a buffer overflow in the picture I/O component that could let any code run when a maliciously made picture is processed.


Citizen Lab says that CVE-2023-41064 and CVE-2023-41061, a validation problem in Wallet, were used together as part of BLASTPASS, a zero-click iMessage exploit chain, to install Pegasus on fully patched iPhones running iOS 16.6.


Both CVE-2023-41064 and CVE-2023-4863 have to do with image processing, and the fact that CVE-2023-4863 has been reported by Apple and the Citizen Lab says that the two might be related.


Users should update Chrome to version 116.0.5845.187/.188 for Windows and version 116.0.5845.187 for macOS and Linux to protect themselves from possible risks. People who use browsers like Microsoft Edge, Brave, Opera, and Vivaldi that are built on Chromium should also apply the fixes as soon as they become available.


8 views0 comments

Comments


bottom of page