Google has released an emergency patch to fix an actively exploited vulnerability in its Chrome browser. The vulnerability, tracked as CVE-2023-4863, is a heap buffer overflow issue in the WebP code library. This type of vulnerability results in more data being written for a memory buffer than the buffer is able to hold, which can result in an application crashing or code execution. While Google has confirmed that there is an exploit available and it is being used in attacks, details of the nature of the attacks have not been released. Google is restricting access to details of the bug until a majority of users have updated to the patched Chrome version, which is 116.0.5845.187 for Mac and Linux and 116.0.5845.187/.188 for Windows.
The vulnerability also affects the Firefox browser, which has been patched against the vulnerability in Firefox 117.0.1, Firefox ESR 115.2.1, Firefox ESR 102.15.1, Thunderbird 102.15.1, and Thunderbird 115.2.2, which were released on September 12. Microsoft also released a patch in its September Patch Tuesday updates to fix the issue in its Edge browser. Other browsers that support the WebP image format will also be affected by this vulnerability.
The vulnerability was reported by researchers at Apple Security Engineering and Architecture (SEAR) and The Citizen Lab on September 6, 2023. The researchers also found and fixed two zero-day vulnerabilities – CVE-2023-41064 and CVE-2023-41061 – that were being reported in an attack dubbed BlastPass to deliver NSO Gropup’s Pegasus spyware. The exploit used PassKit attachments with malicious images that were sent from the attacker’s iMessage account. CVE-2023-41064 is a buffer overflow vulnerability in the ImageI/O framework and CVE-2023-41061 is a validation flaw in Apple Wallet.