Google, Microsoft, and Mozilla have taken swift action to patch a critical zero-day vulnerability that is being actively exploited across multiple browsers. The vulnerability, known as CVE-2023-4863, was identified and reported by Apple’s Security Engineering and Architecture (SEAR) team and Citizen Lab on September 6. The flaw was found in WebP, an image file format developed by Google and supported by other browser makers. This vulnerability affects Google Chrome versions that are older than 116.0.5845.187, allowing remote attackers to execute an out-of-bounds memory write through a malicious WebP image.
To address the issue, Google has released an emergency patch for CVE-2023-4863. In their advisory, they mentioned that updates for the stable and extended stable channels for Mac, Linux, and Windows would be completed in the coming days or weeks. Microsoft and Mozilla followed suit by releasing fixes for their respective browsers, Edge and Firefox.
Currently, attacks related to this vulnerability seem to be limited to Google Chrome. However, Mozilla’s advisory indicated that they were aware of the issue being exploited in other products as well. The vulnerability affects not only Firefox but also Firefox ESR and Thunderbird products.
In response, Microsoft has urged its users to upgrade to the latest version of Microsoft Edge, which is based on the Chromium open-source software (OSS), including WebP. The discovery of vulnerabilities in OSS, such as the one affecting WebP, has put open-source security in the spotlight and has become an increasing priority in the White House’s cybersecurity initiatives.
While Google has confirmed the existence of an exploit for CVE-2023-4863 in the wild, specific details of the attacks remain unknown. As a precautionary measure, Google has restricted access to bug details and links until a majority of users have updated their browsers with the fix. The restrictions will also remain in place if the bug exists in a third-party library that other projects depend on but haven’t yet fixed.
CVE-2023-4863 is the latest zero-day vulnerability uncovered by Citizen Lab. Recently, they discovered a zero-click iOS vulnerability that was actively exploited to deliver the NSO Group’s Pegasus spyware. Citizen Lab named this exploit chain “Blastpass” and revealed that it involved two Apple vulnerabilities. Notably, Apple’s SEAR team was also involved in the reporting of the WebP vulnerability.
The first vulnerability used in the deployment of spyware was a buffer overflow issue known as CVE-2023-41064. The second vulnerability was a validation issue assigned as CVE-2023-41061. Apple has acknowledged that these vulnerabilities may have been actively exploited and has urged users to apply patches.
According to Citizen Lab, Blastpass was discovered on the device of an employee belonging to a Washington DC-based civil society organization. They suggested that Apple’s Lockdown Mode could help mitigate the threat. The investigation into the exploit chain is ongoing, and researchers have found that it involves “PassKit attachments containing malicious images sent from an attacker’s iMessage account to the victim.”
It is worth noting that Apple previously filed a lawsuit against the NSO Group in 2021, accusing the vendor of deliberately targeting Apple customers and products.
In conclusion, major browser vendors have acted swiftly to address a critical zero-day vulnerability that was actively exploited across various browsers. With patches released by Google, Microsoft, and Mozilla, users are encouraged to update their browsers promptly to mitigate the risks associated with this vulnerability. Additionally, the discovery of vulnerabilities in open-source software like WebP highlights the need for increased security measures, which have become a priority in global cybersecurity initiatives. As investigations into the exploit chain continue, it is crucial for users to stay vigilant and apply necessary patches to protect their systems and data.