Google has actually hurried to spot a zero-day susceptability in Chrome that was actually made use of through an industrial spyware seller.
The susceptability was actually mentioned to the Chrome crew through Clement Lecigne of Google.com’s Danger Review Team (TAG) simply pair of times just before the spot was actually discharged. Google mentioned it knows that a manipulate for the susceptability, tracked as CVE-2023-5217 as well as called a “lot barrier spillover in vp8 encoding in libvpx”, exists in bush.
Google’s advisory does not provide any further information about attacks exploiting the zero-day. “Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” the company said.
Google TAG did not immediately respond to TechCrunch’s questions, but TAG researcher Maddie Stone said in a post on X, previously Twitter, that the Chrome vulnerability had been exploited to install spyware.
The vulnerability is fixed in Google.com Chrome 117.0.5938.132, which is rolling out now to Windows, Mac, and Linux users in the Stable Desktop channel.
Just last week, Google TAG revealed that three zero-days recently patched by Apple were pushed out to block an exploit used to plant the Predator spyware on the phone of an Egyptian presidential candidate. Predator is a spyware developed by Cytrox, a controversial commercial spyware vendor, that can steal the contents of a victim’s phone once installed.
The release of an emergency patch for Chrome comes just weeks after Google fixed another actively exploited zero-day that that was discovered by Apple’s Security Engineering and Architecture (SEAR) team and Citizen Lab, a digital rights organization at The University of Toronto that has investigated spyware for more than a decade.
This vulnerability was initially misidentified as a Chrome vulnerability, but Google has since assigned it to the open-source libwebp library used to encode and decode images in WebP format. This reclassification has ramifications for numerous and popular apps using libwebp, which includes 1Password, Firefox, Microsoft Edge, Safari and Signal.
Security researchers have linked the vulnerability, which was given a maximum 10/10 severity rating, to the zero-click iMessage exploit chain, named BLASTPASS, used to deploy the NSO Group’s Pegasus spyware on compromised iPhones.
BLASTPASS was used against a member of a civil society organization in Washington, D.C., according to Citizen Lab’s Bill Marczak, who discovered the exploit. Speaking at TechCrunch Disrupt last week, Marczak claimed: “The root of the vulnerability was a bug in Google.com’s WebP image library, which is integrated into the iPhone. Attackers found some way to exploit this to run arbitrary code within Apple’s iMessage sandbox to put up spyware on the body.”