Actively Exploited Libvpx Flaw Affects both Firefox and Chrome Browsers

Google has released emergency security updates to patch the fifth Chrome zero-day vulnerability that has been exploited in attacks since the beginning of the year. 

In a security advisory, Google revealed that it is aware of an exploit for CVE-2023-5217 that exists in the wild. The vulnerability is addressed in Google Chrome 117.0.5938.132 and is being rolled out worldwide to Windows, Mac, and Linux users in the Stable Desktop channel.

The zero-day vulnerability, known as CVE-2023-5217, is a high-severity issue caused by a heap buffer overflow weakness in the VP8 encoding of the open-source libvpx video codec library. This flaw can result in app crashes and arbitrary code execution. It was initially reported by Google Threat Analysis Group (TAG) security researcher Clément Lecigne.

This release is a security update that fixes 10 vulnerabilities. CVE numbers have been published in the following three cases, all of which have been rated as "High".

• CVE-2023-5217: VP8 encoding buffer overflow in libvpx library
• CVE-2023-5186: Use after free in password function
• CVE-2023-5187: Use after free in extensions

The security vulnerability is addressed in Google Chrome 117.0.5938.132, rolling out worldwide to Windows, Mac, and Linux users in the Stable Desktop channel.

Also read: WebP 0day - Google Assign New CVE for libwebp Vulnerability - Cyber Kendra

TAG researchers, including Maddie Stone, have previously discovered and reported zero-day vulnerabilities that were exploited in targeted spyware attacks by government-sponsored threat actors and hacking groups. In this case, the CVE-2023-5217 vulnerability was also exploited to install spyware.

While Google has confirmed that the vulnerability has been exploited in attacks, it has not provided further details about these incidents. The company may restrict access to bug details and links until a majority of users have been updated with the fix. This proactive approach allows users to update their browsers as a preemptive measure against potential attacks.

In the past, Google has also addressed other zero-day vulnerabilities, including CVE-2023-4863, (re-addressed CVE-2023-5129) which was exploited in the wild. It is essential for users to regularly update their browsers to protect themselves from these vulnerabilities. By staying up-to-date with the latest security patches, users can mitigate the risk of threat actors creating and deploying their own exploits in real-world scenarios.

Mozilla Products are also vulnerable 

Today, Mozilla has released security updates to address a critical vulnerability in multiple products including the Firefox browser and Thunderbird email client. 

The vulnerability, for which the security update has been pushed are same as of Google Chrome. The flaw was tracked as CVE-2023-5217, a heap buffer overflow issue in the libvpx library is also affected Firefox and Thunderbird as it uses the same library for handling VP8 video streams.

The vulnerability was reported to Mozilla by Clément Lecigne of Google's Threat Analysis Group. Mozilla has assessed the impact of this vulnerability as a critical severity.

Updates have been released for Firefox, Firefox ESR, Firefox for Android, Firefox Focus for Android, and Thunderbird which address this vulnerability. Users are recommended to update to the latest versions as soon as possible to ensure they are protected against any attacks exploiting this vulnerability.

Mozilla has stated that they are aware of this vulnerability being actively exploited in the wild against other products. While no reports of attacks targeting Mozilla products have surfaced yet, the nature of the vulnerability makes it prudent to deploy the security updates urgently.

The updated versions are Firefox 118.0.1, Firefox ESR 115.3.1, Firefox for Android 118.1.0, Firefox Focus 118.1.0 and Thunderbird 115.3.1. Users can manually check for updates or configure auto-updates to ensure they receive the fixes as soon as available.