Google Fixes Fifth Actively Exploited Chrome Zero-Day of 2023
Cyber Security Threat Summary:
Yesterday, Google released emergency security updates to address a zero-day flaw impacting its Chrome Browser. Tracked as CVE-2023-5217, the flaw relates to a heap buffer overflow weakness in the VP8 encoding of libvpx, an open-source video codec library from Google and the Alliance for Open Media (AOMedia). A successful exploit of this flaw could lead to browser crashes or arbitrary code execution. Google Threat Analysis Group (TAG) security researcher Clément Lecigne, has been credited for discovering the flaw, which has now been addressed with the release of Chrome 117.0.5938.132.
Security Officer Comments:
CVE-2023-5217 is the fifth zero-day in Chrome to be addressed this year. Below is a list of the other flaws fixed by Google:
- CVE-2023-2033 (CVSS score: 8.8) - Type confusion in V8
- CVE-2023-2136 (CVSS score: 9.6) - Integer overflow in Skia
- CVE-2023-3079 (CVSS score: 8.8) - Type confusion in V8
- CVE-2023-4863 (CVSS score: 8.8) - Heap buffer overflow in WebP
Suggested Correction(s):
Automating critical security updates is essential to promptly patch vulnerabilities, ensure consistency across systems, minimize downtime, meet compliance requirements, and proactively defend against evolving cyber threats. Automation streamlines the update process, frees up IT resources, and provides real-time monitoring and reporting, making it a fundamental component of modern cybersecurity strategies.
As a Microsoft Windows administrator, you can use Google Update to manage how your users' Chrome browser and Chrome apps are updated. You can manage Google Update settings using the Group Policy Management Editor.
You can see the values of Google Update policies set for a computer in the Chrome policy list at chrome://policy. For more information please refer down below:
https://support.google.com/chrome/a/answer/6350036?hl=en
For individuals users or workstations:
Link(s):
https://www.bleepingcomputer.com/