Products You May Like
Google and Mozilla have patched the zero-day vulnerability, which originates within the libvpx library.
Google and Mozilla have patched a zero-day exploit in Chrome and Firefox, respectively. The zero-day exploit was being utilized by a industrial adware vendor. The zero-day exploit may go away customers open to a heap buffer overflow, by way of which attackers may inject malicious code. Any software program that makes use of VP8 encoding in libvpx or is predicated on Chromium (together with Microsoft Edge) is likely to be affected, not simply Chrome or Firefox.
When you use Chrome, replace to 117.0.5938.132 when it turns into accessible; Google Chrome says it could take “days/weeks” for all customers to see the replace. In Firefox, the exploit is patched in Firefox 118.0.1, Firefox ESR 115.3.1, Firefox Focus for Android 118.1 and Firefox for Android 118.1.
Leap to:
This zero-day vulnerability originates in libvpx library
The zero-day exploit is technically a heap buffer overflow in VP8 encoding in libvpx, which is a video code library developed by Google and the Alliance for Open Media. It’s broadly used to encode or decode movies within the VP8 and VP9 video coding codecs.
“Specific handling of an attacker-controlled VP8 media stream could lead to a heap buffer overflow in the content process,” the Firefox group wrote of their safety advisory.
From there, the vulnerability “allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page,” mentioned the official Common Vulnerabilities and Exposures site.
SEE: Attackers constructed a fake Bitwarden password manager site to ship malware concentrating on Home windows (TechRepublic)
The exploit is being tracked by Google as CVE-2023-5217. Clément Lecigne, a safety researcher at Google’s Risk Evaluation Group, discovered the flaw on September 25, resulting in a patch on September 27.
“A commercial surveillance vendor” was actively utilizing the exploit, researcher Maddie Stone of Google’s Risk Evaluation Group noted on X.
There may be not much more info accessible concerning the zero-day exploit at the moment. “Google is aware that an exploit for CVE-2023-5217 exists in the wild,” the corporate wrote within the Chrome launch replace.
The Chrome replace together with the repair remediates nine other vulnerabilities.
“In this case, a browser-based exploit tied to libpvx will raise a few eyebrows as it can crash the browser and execute malicious code – at the permissions level the browser was running at,” mentioned Rob T. Lee, chief curriculum director and head of school on the SANS Institute and a former technical advisor to the U.S. Division of Justice, in an e-mail to TechRepublic. “That gives some comfort, but many exploits can do much more – including implants to allow remote access.”
TechRepublic has reached out to Google and Mozilla for remark.
What can IT groups do to maintain staff’ gadgets safe?
IT leaders ought to talk to staff that they need to maintain their browsers up to date and stay conscious of potential vulnerabilities. One other heap buffer overflow attack last week affected a wide range of software program utilizing the WebP Codec, so it’s typically a superb time to emphasise the significance of updates. Data on whether or not libvpx is likely to be patched is just not but accessible, Ars Technica reported on Sept. 28.
“Implementing layered security and defense-in-depth strategies enable optimum mitigation of zero-day threats,” mentioned Mozilla interim Head of Safety John Bottoms in an e-mail to TechRepublic.
“It is hard to prepare for organizations to prevent [zero-day exploits], similar to a decent social engineering attempt – the best you can do is shore up your logfiles and ensure that forensic evidence exists that can be traced back for months (if not years on critical systems),” mentioned Lee. “Some tools can detect zero-days on the fly, including detections built into the operating system, but many of these sometimes degrade system performance.”