Google kept itself in the security news this week by posting Wednesday that it had issued patches for a new actively exploited zero-day in the Chrome browser.
The new zero-day — CVE-2023-5217 — the fifth zero-day actively exploited in the wild that Google has patched this year, was described as a heap buffer overflow in vp8 encoding in the libvpx free codec library. The flaw was reported by Clément Lecigne of Google's Threat Analysis Group on Monday.
Exploitation of buffer overflow flaws can result in program crashes or the execution of arbitrary code, impacting availability and integrity. Maddie Stone, also a researcher on Google’s Threat Analysis Group, posted on X (formerly Twitter) that the zero-day has been abused by a commercial spyware vendor to target high-risk individuals.
Callie Guenther, senior manager, cyber threat research at Critical Start, noted that while the most recent zero-day has been mentioned as exploited by a commercial spyware vendor, Google did not explicitly state that it’s linked to Pegasus.
“Pegasus is known for exploiting vulnerabilities for targeted attacks, but without specific information, it is not possible to definitively establish a connection between Pegasus and CVE-2023-5217,” explained Guenther.
Threat actors continue to target popular products such as Chrome
The most recent zero-day comes on the heels of Google reporting this week on CVE-2023-5129, a critical vulnerability in the libwebp image library now considered a duplicate of CVE-2023-4863 that affects how images are processed, potentially allowing attackers to execute arbitrary code on affected systems. Guenther explained that it had a broad attack surface and its CVSS score was assigned as 10.0 by Google, while NIST rated it as a high severity 8.8.
“There has indeed been heightened activity around Google vulnerabilities, with multiple zero-day vulnerabilities being discovered and patched,” said Guenther. “This activity underscores the continuous efforts by threat actors to exploit popular software and the importance of staying vigilant and applying patches promptly.”
CVE-2023-5217 appears to be similar in that it's a heap buffer overflow in a library associated with rendering visual media — this time, it's video, explained Melissa Bischoping, director, endpoint security research at Tanium.
”CVE-2023-5129 (4863) was in libwebp, which supports the WebP image file format that’s used to improve compression and faster loading of images,” explained Bischoping. “While Google's TAG has attributed this to a commercial surveillance vendor, it's important to remember that attribution likely won't influence whether you patch or not, and regardless of who discovered the vulnerability, it may get adopted and reused by a number of threat actors. Patch accordingly.”
Ashley Leonard, founder and CEO at Syxsense, added that CVE-2023-5129 is a vulnerability which has been newly revealed in the WebP image library, also referred to as the "0day in WebP." Previously, this CVE (CVE-2023-4863) was thought to be specific to Google Chrome, but it has now been updated as a flaw in libwebp, explained Leonard.
“This presents a substantial security threat, because libwebp is used by a wider range of applications and platforms than just Chrome,” said Leonard. “The security vulnerability affects any software that employs the WebP codec via the libwebp library, extending its impact beyond Chrome. This extensive list encompasses not only Chromium-based browsers, but also other prominent browsers like Mozilla Firefox, Apple Safari, and Microsoft Edge, all of which integrate libwebp.”