Google on Monday rolled out out-of-band security patches to address a critical security flaw in its Chrome web browser that it stated has been exploited in the wild.
Tracked as CVE-2023-4863, the issue has been described as a circumstance of heap buffer overflow that resides in the WebP image structure that could outcome in arbitrary code execution or a crash.
Apple Security Engineering and Architecture (SEAR) and the Citizen Lab at The University of Toronto’s Munk School have been credited with discovering and reporting the flaw on September 6, 2023.
The tech huge has however to disclose more details about the character of the exploit, but noted that it really is “knowledgeable that an exploit for CVE-2023-4863 exists in the wild.”
With the newest fix, Google has resolved a complete of 4 zero-times in Chrome given that the start of the calendar year –
- CVE-2023-2033 (CVSS rating: 8.8) – Kind Confusion in V8
- CVE-2023-2136 (CVSS score: 9.6) – Integer overflow in Skia
- CVE-2023-3079 (CVSS score: 8.8) – Form Confusion in V8
The progress will come the identical day Apple expanded fixes to remediate CVE-2023-41064 for the under units and functioning techniques –
- iOS 15.7.9 and iPadOS 15.7.9 – iPhone 6s (all products), iPhone 7 (all designs), iPhone SE (1st era), iPad Air 2, iPad mini (4th era), and iPod contact (7th era)
- macOS Huge Sur 11.7.10 and macOS Monterey 12.6.9
CVE-2023-41064 relates to a buffer overflow issue in the Impression I/O component that could guide to arbitrary code execution when processing a maliciously crafted picture.
Upcoming WEBINARWay Too Susceptible: Uncovering the Point out of the Identity Attack Area
Realized MFA? PAM? Assistance account defense? Uncover out how well-equipped your business certainly is from identification threats
Supercharge Your Competencies
According to the Citizen Lab, CVE-2023-41064 is stated to have been employed in conjunction with CVE-2023-41061, a validation issue in Wallet, as aspect of a zero-simply click iMessage exploit chain named BLASTPASS to deploy Pegasus on entirely-patched iPhones managing iOS 16.6.
The fact that each CVE-2023-41064 and CVE-2023-4863 hinge about impression processing and that the latter has been claimed by Apple and the Citizen Lab suggests there could be a opportunity link in between the two.
Users are advised to up grade to Chrome model 116..5845.187/.188 for Windows and 116..5845.187 for macOS and Linux to mitigate opportunity threats. End users of Chromium-dependent browsers these types of as Microsoft Edge, Courageous, Opera, and Vivaldi are also encouraged to implement the fixes as and when they come to be available.
Discovered this post exciting? Observe us on Twitter and LinkedIn to read additional special content we submit.
Some parts of this article are sourced from:
thehackernews.com