Google Fixes Another Chrome Zero-Day Bug Exploited in Attacks
Cyber Security Threat Summary:
Yesterday, Google released security updates to fix a critical zero-vulnerability in its Chrome web browser. Tracked as CVE-2023-4863, the flaw relates to a heap-based buffer overflow in the WebP image format. Successful exploitation of this issue could result in browser crashes or arbitrary code execution. Apple Security Engineering and Architecture (SEAR) and the Citizen Lab at The University of Toronto's Munk School have been credited for discovering and reporting the bug. Since the disclosure, Google has patched the flaw with the release on version 116.0.5845.187 for Mac and Linux users and version 116.0.5845.187/.188 for Windows users.
Security Officer Comments:
According to Google, it is aware that an exploit for CVE-2023-4863 exists in the wild. However, the vendor did not release any technical details of such attacks. This is likely the case as the company wants to give users enough time to upgrade to the latest version, which is estimated to reach the entire user base over the coming days or weeks.
Suggested Correction(s):
Users should ensure that they are running on the latest version of Chrome as soon as possible. With Google expected to release the technical details in the near future, threat actors will likely use this information to create custom exploits and deploy them in attacks in the wild. To update Chrome, head to Settings → About Chrome → Wait for the download of the latest version to finish → Restart the program
Link(s):
https://www.bleepingcomputer.com/