Endpoint Security , Governance & Risk Management , Vulnerability Assessment & Penetration Testing (VA/PT)

Google Fixes Chrome Zero-Day Exploited in the Wild

Chrome Bug Caused by Heap Buffer Overflow Issue in the WebP Image Format
Google Fixes Chrome Zero-Day Exploited in the Wild

Google released a fix on Monday for a Chrome zero-day. Like the three before it, this fourth Chrome zero-day vulnerability found in 2023 allows an attacker to remotely target a vulnerable version of the browser.

See Also: Cyber Hygiene and Asset Management Perception vs. Reality

An attacker could exploit the vulnerability to execute arbitrary code, mishandle the data in the browser's memory and eventually crash the browser on a victim's device. The flaw stems from a heap buffer overflow issue in the WebP, an image format championed by Google as a high-quality compression method.

Tracked as CVE-2023-4863, the vulnerability is being exploited in the wild, Google said. Mozilla on Tuesday also released a patch to fix the flaw for the Firefox browser.

Researchers at Apple Security Engineering and Architecture and The Citizen Lab at The University of Toronto's Munk School reported the zero-day flaw to Chrome developers Sept. 6.

The same teams of researchers last week also found and fixed a zero-click exploit - called BlastPass - that was used to deliver the Pegasus advanced spyware app to at least one iPhone carried by an individual employed at a Washington, D.C.-based civil society organization (see: Apple Fixes Zero-Click Bugs Exploited by NSO Group's Spyware).

Potential links between the two could not be established as Apple and Citizen Lab did not immediately respond to Information Security Media Group's request for information.

Safe Browsing Gets an Upgrade

The development of the Chrome zero-day comes as Google further tightens its Chrome security features. Chrome turns 15 years old this month, and the tech giant wants to offer a browser that is fast, reliable, secure and easy to use. Last week, Google introduced a host of upgrades including one to its Safe Browsing feature that automatically flags dangerous sites and files.

The Safe Browsing feature previously worked by checking every site visit against a locally stored list of known bad sites that is updated every 30 to 60 minutes. "But phishing domains have gotten more sophisticated - and today, 60% of them exist for less than 10 minutes, making them difficult to block," Google said.

The tech giant is now upgrading the Standard protection mode to Safe Browsing to block these malicious sites the moment they launch. This means Chrome will now check sites against Google's known bad sites in real-time - without sharing the user's browsing history.

The company estimates 25% improved protection from malware and phishing threats due to the shortened time between identification and prevention of these threats. The update is set to roll out to Chrome users in the coming weeks.

The Safe Browsing's Enhanced Protection mode can be activated for additional protection, which Google says "continues to block new attacks with AI, provide a deep scan for files and offer extra protection from malicious Chrome extensions."


About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.