In a recent development, Google has announced the discovery and subsequent fix for a zero-day vulnerability in its Chrome browser. This vulnerability has been actively exploited by a commercial vendor to drop surveillance software on targeted systems. What’s concerning is that this is the third zero-day vulnerability related to spying activity that Google has disclosed in recent days.
The newly patched vulnerability, tracked as CVE-2023-5217, is a memory corruption issue resulting from the implementation of a video compression format in a software library used by Chrome. This flaw allows attackers to remotely execute arbitrary code on a target system by manipulating heap memory through a maliciously crafted HTML page. It affects versions of Google Chrome prior to 117.0.5938.132 and versions of the libvpx library before 1.13.1.
Google’s Threat Analysis Group (TAG) is credited with discovering and reporting this zero-day threat on September 25th. Just two days later, Google issued a patch for the vulnerability. Maddie Stone, a security researcher from TAG, described the bug as a zero-day that was actively exploited by a commercial surveillance vendor at the time of the patch release. Although the vendor’s identity remains undisclosed, Google recently pointed to a surveillance vendor named Intellexa, who abused a previous Chrome zero-day (CVE-2023-4762) to deploy a spying tool called Predator on Android devices in Egypt. Google promptly addressed that bug on September 5th after receiving a notification from a security researcher.
Interestingly, this is the sixth zero-day vulnerability that Google has disclosed in its Chrome browser this year. Moreover, it is the third vulnerability in the past month alone that appears to be linked to spying activities. On September 11th, Google disclosed another critical vulnerability, identified as CVE-2023-4863, affecting Chrome versions for Windows, macOS, and Linux. This buffer overflow vulnerability, found in a Chrome library related to image processing (libwebp), allowed attackers to execute arbitrary code on target systems using malicious HTML images. Google confirmed that attackers were actively exploiting CVE-2023-4863 but did not provide additional details.
Google became aware of this vulnerability after receiving notifications from researchers at Apple and the University of Toronto’s The Citizen Lab. They discovered a security flaw in libwebp that an attacker had used to deploy the notorious Pegasus spyware on iPhones. Although Google and Apple assigned different Common Vulnerabilities and Exposures (CVE) identifiers to the bug, some security researchers believe that the vulnerabilities are essentially the same, as they exist in the same library and share identical characteristics.
Apart from these three zero-days, Google has disclosed three other Chrome vulnerabilities this year that were actively exploited by threat actors before the patches were available. In June, Google disclosed CVE-2023-3079, a type confusion error in the V8 JavaScript engine that could be exploited through a specially crafted HTML page. In April, two more vulnerabilities were disclosed. One was an integer overflow issue in the Skia open-source graphics library (CVE-2023-2136), and the other was a type confusion error in V8 (CVE-2023-2033) that could be exploited via a malicious HTML page. At the time of patching, all three vulnerabilities were being actively exploited.
The discovery and patching of these zero-day vulnerabilities highlight the continuous efforts of Google’s security team in securing their products. However, the fact that multiple zero-day vulnerabilities related to spying activities have been exploited raises concerns about the capabilities and intentions of the attackers. It also emphasizes the need for users to promptly update their software to the latest versions as soon as patches become available to protect themselves from potential threats exploiting these vulnerabilities.