Google has patched three high-severity flaws within the newest launch of its Chrome browser, together with one zero-day vulnerability it stated is being actively exploited within the wild.
Google Chrome 117.0.5938.132 is at present rolling out worldwide to Home windows, Mac and Linux customers within the Secure desktop channel.
Most noteworthy is a repair for CVE-2023-5217, described as a heap buffer overflow challenge within the VP8 encoding of open supply libvpx video codec library.
No different particulars have been out there on the official Google Chrome update page, though the agency stated “entry to bug particulars and hyperlinks could also be saved restricted till a majority of customers are up to date with a repair.”
Nevertheless, we do know that it was reported by Clément Lecigne of Google’s Menace Evaluation Group (TAG) on Monday. The short turnaround time for a patch signifies the criticality of the bug.
That was confirmed by TAG researcher, Maddie Stone, who said the vulnerability is “in use by a business surveillance vendor.”
It’s unclear precisely who that vendor is at this stage, however there was a spate of zero-day discoveries of late tied again to business adware makers.
Simply final week, Apple patched three zero-day vulnerabilities it claimed might have been actively exploited within the wild on iOS units. These have been found by TAG and the non-profit Citizen Lab.
Citizen Lab tied the bugs to Cytrox’s Predator adware and stated they have been delivered by way of hyperlinks despatched on SMS and WhatsApp. They have been initially noticed focusing on Egyptian presidential hopeful, Ahmed Eltantawy.
A previous duo of Apple zero-days utilized in a “BlastPass” exploit chain have been traced to the NSO Group and its Pegasus adware.
The remaining two high-severity bugs fastened on this Chrome replace are CVE-2023-5186, a use-after-free flaw in Passwords, and CVE-2023-5187, a use-after-free bug in Extensions.
Editorial picture credit score: NiP STUDIO / Shutterstock.com