Google patches zero-day exploited by commercial spyware vendor
Reading Time: 2 minutesGoogle has rushed to patch a zero-day vulnerability in Chrome that was exploited by a commercial spyware vendor.
The vulnerability was reported to the Chrome team by Clement Lecigne of Google’s Threat Analysis Group (TAG) just two days before the patch was released. Google said it is aware that an exploit for the vulnerability, tracked as CVE-2023-5217 and described as a ‘heap buffer overflow in vp8 encoding in libvpx’, exists in the wild.
Google’s advisory does not provide any further information about attacks exploiting the zero-day. ‘Access to bug details and links may be kept restricted until a majority of users are updated with a fix,’ the company said.
The vulnerability is fixed in Google Chrome 117.0.5938.132, which is rolling out now to Windows, Mac, and Linux users in the Stable Desktop channel.
Just last week, Google TAG revealed that three zero-days recently patched by Apple were pushed out to block an exploit used to plant the Predator spyware on the phone of an Egyptian presidential candidate. Predator is a spyware developed by Cytrox, a controversial commercial spyware vendor, that can steal the contents of a victim’s phone once installed.
The release of an emergency patch for Chrome comes just weeks after Google fixed another actively exploited zero-day that that was discovered by Apple’s Security Engineering and Architecture (SEAR) team and Citizen Lab, a digital rights organization at The University of Toronto that has investigated spyware for more than a decade.
This vulnerability was initially misidentified as a Chrome vulnerability, but Google has since assigned it to the open-source libwebp library used to encode and decode images in WebP format. This reclassification has ramifications for numerous and popular apps using libwebp, which includes 1Password, Firefox, Microsoft Edge, Safari and Signal.
Security researchers have linked the vulnerability, which was given a maximum 10/10 severity rating, to the zero-click iMessage exploit chain, named BLASTPASS, used to deploy the NSO Group’s Pegasus spyware on compromised iPhones.
Ref: techcrunch
MediaDownloader.net -> Free Online Video Downloader, Download Any Video From YouTube, VK, Vimeo, Twitter, Twitch, Tumblr, Tiktok, Telegram, TED, Streamable, Soundcloud, Snapchat, Share, Rumble, Reddit, PuhuTV, Pinterest, Periscope, Ok.ru, MxTakatak, Mixcloud, Mashable, LinkedIn, Likee, Kwai, Izlesene, Instagram, Imgur, IMDB, Ifunny, Gaana, Flickr, Febspot, Facebook, ESPN, Douyin, Dailymotion, Buzzfeed, BluTV, Blogger, Bitchute, Bilibili, Bandcamp, Akıllı, 9GAG