Chrome Patches 0-Day Exploited by Commercial Spyware VendorLimited Details Disclosed But Google Said It Is a Heap-Based Buffer Overflow Bug
Google rolled out an urgent Chrome browser security update to address a zero-day actively exploited by a commercial spyware vendor. The high-severity bug is the fifth zero-day patched by Chrome this year.
The flaw is a heap-based buffer overflow issue in the VP8 compression format within
libvpx library. Libvpx is a free software video codec library from Google and the Alliance for Open Media, also known as AOMedia. It is the VP8 video encoder for WebM, an open-for-all, royalty-free media file format that reduces bitrate while retaining the visual quality.
A heap-based buffer overflow occurs when a program writes more data to a dynamically allocated portion of memory than the buffer can hold. Attackers can take advantage of this to exploit the system by manipulating data or creating a pointer to run malicious code.
Google did not provide further details about the vulnerability, only stating that it is aware of an exploit in the wild. "Access to bug details and links may be kept restricted until a majority of users are updated with a fix," Google said. "We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven't yet fixed."
Google credited the discovery to Clément Lecigne of the company's Threat Analysis Group. Maddie Stone, a researcher at Google TAG, tweeted the flaw was "in use by a commercial surveillance vendor."
The market for commercial spyware has boomed over the past decade. At least 30 vendors now offer tools designed to remotely retrieve smartphone text messages, surreptitiously activate microphones and obtain precise locations. Despite assurances from multiple vendors that they have strong controls in place to prevent their tools from being used inappropriately, civil society activists say such tools are regularly employed by authoritarian or repressive regimes (see: Apple Fixes Bugs That Infected Egyptian Politician's iPhone).
The patch comes just weeks after Chrome fixed another zero-day being exploited in the wild - CVE-2023-4863 (see: Google Fixes Chrome Zero-Day Exploited in the Wild). The previous bug was also a buffer overflow vulnerability.