CTI Flash Briefing: New Chrome Zero-Day vulnerability requires immediate patching across all systems
Breakdown
Apple released security patches across their operating systems last week in response to a report from CitizenLab on the discovery of a zero-click zero-day vulnerability tied into the exploit chain known as BLASTPASS that is used to infect iOS systems by NSO group with their Pegasus spyware. Google this week released its updates for another critical zero-day vulnerability (CVE-2023–4863).
Chrome users are advised to upgrade their web browser to version 116.0.5845.187 (Mac and Linux) and 116.0.5845.187/.188 (Windows) as soon as possible, as it patches the CVE-2023–4863 vulnerability on Windows, Mac, and Linux systems. Updates are also available for Brave, Edge, Firefox, Opera, and Vivaldi if you are using any of these alternate browsers in your environment.
Area of Impact
This impacts Chrome Web browsers installed on Mac, Linux, and Windows systems. Chrome is the base for several other browsers; if you use Brave, Edge, Firefox, Opera, or Vivaldi, you must update those browsers.
Overview
The Chrome vulnerability (CVE-2023–4863) is caused by a WebP code library (libwebp) heap buffer overflow weakness whose impact ranges from crashes to arbitrary code execution.
As referenced in the BleepingComputer article, Google has not released any details on the attack pending a grace period for getting patched:
While Google said the CVE-2023–4863 zero-day has been exploited in the wild, the company has yet to share more details regarding these attacks. “Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Google said. “We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on but haven’t yet fixed.”
Details on the other browsers affected were provided as updates by researchers covered by Forbes:
The 1Password for Mac application has been updated to version 8.10.15 to patch against CVE-2023–4863, and Signal Desktop has been updated to include the patched Electron v25. Other web browsers that have been updated to patch the zero-day WebP vulnerability include:
Brave, which has been updated to 116.0.5845.188
Edge, which has been updated to 116.0.1938.81 (116.1938.79 for iOS)
Firefox, which has been updated to 117.0.1
Opera, which has been updated to 102.0.4880.46
Vivaldi, which has been updated to 6.2.3105.47
Google has yet to share technical and exact details, and there is no official confirmation that this Chrome vulnerability is tied explicitly to the BLASTPASS exploit chain used by the NSO group.
Recommendation
Install available security patch updates from Google Chrome immediately on all personal and company-owned devices, as noted above. Chrome and other browsers have the capability in their settings menu to show code versions so you can verify devices match the updated code version numbers listed above as well.
Conclusion
To our current SOC partnerships, please get in touch with our SOC team to learn more about the best steps in researching your exposure to this threat. If you have any questions on this ongoing event or need any security assistance, please get in touch with Hunter Strategy. We will gladly discuss the next steps in securing your IT systems!
Contact Us
contact@hunterstrategy.net
