Security News > 2023 > September > Video Encoding Library Leaves Chrome, Firefox and More Open to Zero-Day Attack
Google and Mozilla have patched a zero-day exploit in Chrome and Firefox, respectively.
The zero-day exploit could leave users open to a heap buffer overflow, through which attackers could inject malicious code.
If you use Chrome, update to 117.0.5938.132 when it becomes available; Google Chrome says it may take "Days/weeks" for all users to see the update.
The zero-day exploit is technically a heap buffer overflow in VP8 encoding in libvpx, which is a video code library developed by Google and the Alliance for Open Media.
"A commercial surveillance vendor" was actively using the exploit, researcher Maddie Stone of Google's Threat Analysis Group noted on X. There is not a lot more information available about the zero-day exploit at this time.
"Google is aware that an exploit for CVE-2023-5217 exists in the wild," the company wrote in the Chrome release update.
News URL
https://www.techrepublic.com/article/google-zero-day-firefox-others/
Related news
- Zero-Day Alert: Google Releases Chrome Patch for Exploit Used in Russian Espionage Attacks (source)
- Mozilla Patches Critical Firefox Bug Similar to Chrome’s Recent Zero-Day Vulnerability (source)
- After Chrome patches zero-day used to target Russians, Firefox splats similar bug (source)
- Firefox continues Manifest V2 support as Chrome disables MV2 ad-blockers (source)
- Broadcom fixes three VMware zero-days exploited in attacks (source)
- Google Cuts Off uBlock Origin on Chrome as Firefox Stands Firm on Ad Blockers (source)
- Malicious Chrome extensions can spoof password managers in new attack (source)
- Apple fixes WebKit zero-day exploited in ‘extremely sophisticated’ attacks (source)
- Apple Releases Patch for WebKit Zero-Day Vulnerability Exploited in Targeted Attacks (source)
- EncryptHub linked to MMC zero-day attacks on Windows systems (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-09-28 | CVE-2023-5217 | Out-of-bounds Write vulnerability in multiple products Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. network low complexity webmproject microsoft mozilla fedoraproject debian apple google redhat CWE-787 | 8.8 |