Google rushes to patch critical Chrome vulnerability exploited in the wild

September 12, 2023THNBrowser Security / Zero Day

Google on Monday rolled out out-of-band security patches to fix a critical security flaw in its Chrome web browser that it says has been wildly exploited.

Tracked as CVE-2023-4863the problem was described as a case of heap buffer overflow which resides in the WebP image format this could lead to arbitrary code execution or a crash.

Apple Security Engineering and Architecture (SEAR) and the Citizen Lab at the University of Toronto’s Munk School were credited with discovering and reporting the flaw on September 6, 2023.

The tech giant has yet to disclose additional details about the nature of the exploit, but noted that it is “aware that an exploit for CVE-2023-4863 exists in the wild.”

With the latest patch, Google has resolved a total of four zero days in Chrome since the start of the year –

The development comes the same day Apple expanded patches to fix CVE-2023-41064 for the below devices and operating systems:

CVE-2023-41064 addresses a buffer overflow issue in the Image I/O component that could lead to arbitrary code execution when processing a maliciously crafted image.

According to Citizen Lab, CVE-2023-41064 was allegedly used in conjunction with CVE-2023-41061, a validation issue in Wallet, as part of a zero-click iMessage exploit chain named BLASTPASS to deploy Pegasus on fully-iPhones fixed running iOS 16.6.

The fact that CVE-2023-41064 and CVE-2023-4863 revolve around image processing and that the latter was reported by Apple and Citizen Lab suggests that there could be a potential connection between the two.

Users are recommended to upgrade to Chrome version 116.0.5845.187/.188 for Windows and 116.0.5845.187 for macOS and Linux to mitigate potential threats. Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply patches as soon as they become available.