Google and Mozilla have patched the zero-day vulnerability, which originates within the libvpx library.
Google and Mozilla have patched a zero-day exploit in Chrome and Firefox, respectively. The zero-day exploit was being utilized by a industrial adware vendor. The zero-day exploit may depart customers open to a heap buffer overflow, by which attackers may inject malicious code. Any software program that makes use of VP8 encoding in libvpx or is predicated on Chromium (together with Microsoft Edge) is perhaps affected, not simply Chrome or Firefox.
If you employ Chrome, replace to 117.0.5938.132 when it turns into out there; Google Chrome says it might take “days/weeks” for all customers to see the replace. In Firefox, the exploit is patched in Firefox 118.0.1, Firefox ESR 115.3.1, Firefox Focus for Android 118.1 and Firefox for Android 118.1.
Jump to:
This zero-day vulnerability originates in libvpx library
The zero-day exploit is technically a heap buffer overflow in VP8 encoding in libvpx, which is a video code library developed by Google and the Alliance for Open Media. It is extensively used to encode or decode movies within the VP8 and VP9 video coding codecs.
“Specific handling of an attacker-controlled VP8 media stream could lead to a heap buffer overflow in the content process,” the Firefox group wrote of their safety advisory.
From there, the vulnerability “allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page,” mentioned the official Common Vulnerabilities and Exposures web site.
SEE: Attackers constructed a pretend Bitwarden password supervisor web site to ship malware concentrating on Windows (TechRepublic)
The exploit is being tracked by Google as CVE-2023-5217. Clément Lecigne, a safety researcher at Google’s Threat Analysis Group, discovered the flaw on September 25, resulting in a patch on September 27.
“A commercial surveillance vendor” was actively utilizing the exploit, researcher Maddie Stone of Google’s Threat Analysis Group famous on X.
There is just not much more info out there in regards to the zero-day exploit presently. “Google is aware that an exploit for CVE-2023-5217 exists in the wild,” the corporate wrote within the Chrome launch replace.
The Chrome replace together with the repair remediates 9 different vulnerabilities.
“In this case, a browser-based exploit tied to libpvx will raise a few eyebrows as it can crash the browser and execute malicious code – at the permissions level the browser was running at,” mentioned Rob T. Lee, chief curriculum director and head of school on the SANS Institute and a former technical advisor to the U.S. Department of Justice, in an e mail to TechRepublic. “That gives some comfort, but many exploits can do much more – including implants to allow remote access.”
What can IT groups do to maintain staff’ units safe?
IT leaders ought to talk to staff that they need to preserve their browsers up to date and stay conscious of attainable vulnerabilities. Another heap buffer overflow assault final week affected a wide range of software program utilizing the WebP Codec, so it’s typically an excellent time to emphasise the significance of updates. Information on whether or not libvpx is perhaps patched is just not but out there, Ars Technica reported on Sept. 28.
“Implementing layered security and defense-in-depth strategies enable optimum mitigation of zero-day threats,” mentioned Mozilla interim Head of Security John Bottoms in an e mail to TechRepublic.
“It is hard to prepare for organizations to prevent [zero-day exploits], similar to a decent social engineering attempt – the best you can do is shore up your logfiles and ensure that forensic evidence exists that can be traced back for months (if not years on critical systems),” mentioned Lee. “Some tools can detect zero-days on the fly, including detections built into the operating system, but many of these sometimes degrade system performance.”
TechRepublic additionally reached out to Google for remark. At the time of publication, now we have not obtained a reply.