Google has fastened a zero-day vulnerability in its Chrome browser {that a} industrial vendor has already been actively exploiting to drop surveillance software program on the right track techniques.

And it is the third Chrome zero-day bug that Google has disclosed in current days that is linked to spying exercise.

Reminiscence Corruption Vulnerabilities

The brand new buffer overflow concern that Google is monitoring as CVE-2023-5217 stems from the implementation of a video compression format in a software program library that Chrome makes use of. The flaw is remotely exploitable and provides attackers a technique to achieve distant code execution on a goal system by manipulating heap reminiscence through a maliciously crafted HTML web page. It’s current in variations of Google Chrome previous to 117.0.5938.132 and variations of the libvpx library earlier than 1.13.1.

Google’s Chrome staff credited a member of the corporate’s Menace Evaluation Group (TAG) for locating and reporting the zero-day risk on Sept. 25. The corporate issued a patch for it on Sept. 27. In a put up on X, previously Twitter, TAG safety researcher Maddie Stone described the bug as a zero-day {that a} industrial surveillance vendor was exploiting on the time of patch launch.

Stone’s tweet didn’t establish the seller by identify, however in current days Google has pointed to a surveillance vendor named Intellexa as abusing a earlier Chrome zero-day (CVE-2023-4762) to drop a spying software referred to as Predator on the right track Android units in Egypt. Google patched that bug on Sept. 5 after a safety researcher notified the corporate concerning the risk.

A Flurry of Zero-Days

CVE-2023-5217 is definitely the sixth zero-day vulnerability that Google has disclosed in Chrome this 12 months. It’s the third vulnerability the corporate has rushed to patch simply this month that seems linked to spying exercise.

On Sept. 11, Google disclosed a essential vulnerability recognized as CVE-2023-4863 that affected Google Chrome variations for Home windows, macOS, and Linux. The buffer overflow vulnerability, in a Chrome library associated to picture processing (libwebp), gave attackers a technique to write arbitrary code on the right track techniques utilizing maliciously crafted HTML photos. Google recognized CVE-2023-4863 as a vulnerability that attackers had been already exploiting, however didn’t supply any particulars.

Google found the vulnerability after researchers at Apple and the College of Toronto’s The Citizen Lab notified the corporate about discovering a safety concern in libwebp that an attacker had abused to drop the infamous Pegasus adware on the right track iPhones. Although Google and Apple have assigned totally different CVEs — Apple’s identifier for the libwebp bug is CVE-2023-41064 — some safety researchers have mentioned it’s seemingly that the bugs are basically the identical since they exist in the identical library and have an identical traits.

Along with these three zero-days, Google disclosed three different Chrome bugs this 12 months that attackers had been actively exploiting earlier than the corporate had a patch for them.

In June, Google disclosed CVE-2023-3079, a so-called sort confusion error within the V8 JavaScript engine in Chrome that an attacker may exploit through a specifically crafted HTML web page. Google disclosed the opposite two zero-days in April. One was an integer overflow concern within the Skia open supply graphics library, tracked as CVE-2023-2136, and the opposite is CVE-2023-2033, additionally a kind confusion error in V8 that an attacker can exploit through a malicious HTML web page. Menace actors had been actively exploiting all three vulnerabilities on the time of patching.