Google and Mozilla have patched the zero-day vulnerability, which originates in the libvpx library.

Google and Mozilla have patched a zero-day exploit in Chrome and Firefox, respectively. The zero-day exploit was being used by a commercial spyware vendor. The zero-day exploit could leave users open to a heap buffer overflow, through which attackers could inject malicious code. Any software that uses VP8 encoding in libvpx or is based on Chromium (including Microsoft Edge) might be affected, not just Chrome or Firefox.

If you use Chrome, update to 117.0.5938.132 when it becomes available; Google Chrome says it may take “days/weeks” for all users to see the update. In Firefox, the exploit is patched in Firefox 118.0.1, Firefox ESR 115.3.1, Firefox Focus for Android 118.1 and Firefox for Android 118.1.

Jump to:

This zero-day vulnerability originates in libvpx library

The zero-day exploit is technically a heap buffer overflow in VP8 encoding in libvpx, which is a video code library developed by Google and the Alliance for Open Media. It is widely used to encode or decode videos in the VP8 and VP9 video coding formats.

“Specific handling of an attacker-controlled VP8 media stream could lead to a heap buffer overflow in the content process,” the Firefox team wrote in their security advisory.

From there, the vulnerability “allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page,” said the official Common Vulnerabilities and Exposures site.

SEE: Attackers built a fake Bitwarden password manager site to deliver malware targeting Windows (TechRepublic)

The exploit is being tracked by Google as CVE-2023-5217. Clément Lecigne, a security researcher at Google’s Threat Analysis Group, found the flaw on September 25, leading to a patch on September 27.

“A commercial surveillance vendor” was actively using the exploit, researcher Maddie Stone of Google’s Threat Analysis Group noted on X.

There is not a lot more information available about the zero-day exploit at this time. “Google is aware that an exploit for CVE-2023-5217 exists in the wild,” the company wrote in the Chrome release update.

The Chrome update including the fix remediates nine other vulnerabilities.

“In this case, a browser-based exploit tied to libpvx will raise a few eyebrows as it can crash the browser and execute malicious code – at the permissions level the browser was running at,” said Rob T. Lee, chief curriculum director and head of faculty at the SANS Institute and a former technical advisor to the U.S. Department of Justice, in an email to TechRepublic. “That gives some comfort, but many exploits can do much more – including implants to allow remote access.”

What can IT teams do to keep employees’ devices secure?

IT leaders should communicate to employees that they should keep their browsers updated and remain aware of possible vulnerabilities. Another heap buffer overflow attack last week affected a variety of software using the WebP Codec, so it’s generally a good time to emphasize the importance of updates. Information on whether libvpx might be patched is not yet available, Ars Technica reported on Sept. 28.

“Implementing layered security and defense-in-depth strategies enable optimum mitigation of zero-day threats,” said Mozilla interim Head of Security John Bottoms in an email to TechRepublic.

“It is hard to prepare for organizations to prevent [zero-day exploits], similar to a decent social engineering attempt – the best you can do is shore up your logfiles and ensure that forensic evidence exists that can be traced back for months (if not years on critical systems),” said Lee. “Some tools can detect zero-days on the fly, including detections built into the operating system, but many of these sometimes degrade system performance.”

TechRepublic also reached out to Google for comment. At the time of publication, we have not received a reply.