Google on Monday rolled out out-of-band security patches to tackle a critical security flaw in its Chrome web browser that it explained has been exploited in the wild.
Tracked as CVE-2023-4863, the issue has been explained as a scenario of heap buffer overflow that resides in the WebP image format that could result in arbitrary code execution or a crash.
Apple Security Engineering and Architecture (SEAR) and the Citizen Lab at The College of Toronto’s Munk School have been credited with identifying and reporting the flaw on September 6, 2023.
The tech large has however to disclose added aspects about the nature of the exploit, but observed that it is “informed that an exploit for CVE-2023-4863 exists in the wild.”
With the newest deal with, Google has resolved a complete of 4 zero-times in Chrome since the start of the year –
- CVE-2023-2033 (CVSS score: 8.8) – Variety Confusion in V8
- CVE-2023-2136 (CVSS score: 9.6) – Integer overflow in Skia
- CVE-2023-3079 (CVSS score: 8.8) – Variety Confusion in V8
The growth arrives the identical working day Apple expanded fixes to remediate CVE-2023-41064 for the down below devices and working units –
- iOS 15.7.9 and iPadOS 15.7.9 – iPhone 6s (all versions), iPhone 7 (all products), iPhone SE (1st era), iPad Air 2, iPad mini (4th technology), and iPod touch (7th era)
- macOS Huge Sur 11.7.10 and macOS Monterey 12.6.9
CVE-2023-41064 relates to a buffer overflow issue in the Graphic I/O part that could lead to arbitrary code execution when processing a maliciously crafted image.
Impending WEBINARWay Also Vulnerable: Uncovering the Condition of the Id Attack Area
Realized MFA? PAM? Company account defense? Find out how nicely-equipped your organization genuinely is in opposition to identification threats
Supercharge Your Techniques
According to the Citizen Lab, CVE-2023-41064 is mentioned to have been utilised in conjunction with CVE-2023-41061, a validation issue in Wallet, as section of a zero-click iMessage exploit chain named BLASTPASS to deploy Pegasus on totally-patched iPhones working iOS 16.6.
The reality that both equally CVE-2023-41064 and CVE-2023-4863 hinge around image processing and that the latter has been claimed by Apple and the Citizen Lab implies there could be a opportunity connection among the two.
Consumers are encouraged to up grade to Chrome version 116..5845.187/.188 for Windows and 116..5845.187 for macOS and Linux to mitigate probable threats. Users of Chromium-dependent browsers this kind of as Microsoft Edge, Courageous, Opera, and Vivaldi are also suggested to apply the fixes as and when they grow to be out there.
Observed this article intriguing? Comply with us on Twitter and LinkedIn to read far more unique written content we write-up.
Some components of this posting are sourced from: