CarderPlanet
Professional
- Messages
- 2,549
- Reaction score
- 730
- Points
- 113
Google has released an update to the Chrome browser 117.0.5938.132, which addresses a vulnerability (CVE-2023-5217) in the libvpx library that causes buffer overflow when using VP8 encoding functions. Unlike the recently identified vulnerability in the WebP image decoder, the problem in the VP8 encoder is assigned a high, but not critical, level of danger, i.e. the problem does not allow you to bypass all levels of browser protection and some other vulnerabilities are required to run code in the system outside the sandbox environment. At the same time, the vulnerability was identified during the analysis of a working exploit existing on the network, which was used by attackers to commit attacks (0-day).
The vulnerability allows you to execute your own code when opening a specially designed web page that calls encoding functions in VP8 format. The problem is present in libvpx and all applications that use this library, the Chromium engine, or the Electron platform, but it requires the ability to execute your own JavaScript code in the application, i.e. the problem mainly affects browsers. Probably (not yet confirmed) the vulnerability also manifests itself in Firefox, since this browser also uses the libvpx library to process the VP8 format. The vulnerability fix is currently only available as a patch.
Recall that a critical vulnerability in libwebp could be exploited when processing a specially designed image and affected Chrome, Safari, Firefox, Thunderbird and numerous products using libwebp, the Chromium engine or the Electron platform, for example, Discord, GitHub Desktop, Mattermost, Signal, Edge, Brave, Opera, Slack, Twitch, Visual Studio Studio Code, Android, 1Password, and Telegram.
Additionally, you can note the disclosure of information about a vulnerability in the Firefox JIT engine that allowed code execution when a user opens a specially designed page. The vulnerability (CVE not assigned) was caused by incorrect memory initialization in the code for converting Boolean parameters to JIT. The vulnerability was fixed last October in the Firefox 106 release.
The vulnerability allows you to execute your own code when opening a specially designed web page that calls encoding functions in VP8 format. The problem is present in libvpx and all applications that use this library, the Chromium engine, or the Electron platform, but it requires the ability to execute your own JavaScript code in the application, i.e. the problem mainly affects browsers. Probably (not yet confirmed) the vulnerability also manifests itself in Firefox, since this browser also uses the libvpx library to process the VP8 format. The vulnerability fix is currently only available as a patch.
Recall that a critical vulnerability in libwebp could be exploited when processing a specially designed image and affected Chrome, Safari, Firefox, Thunderbird and numerous products using libwebp, the Chromium engine or the Electron platform, for example, Discord, GitHub Desktop, Mattermost, Signal, Edge, Brave, Opera, Slack, Twitch, Visual Studio Studio Code, Android, 1Password, and Telegram.
Additionally, you can note the disclosure of information about a vulnerability in the Firefox JIT engine that allowed code execution when a user opens a specially designed page. The vulnerability (CVE not assigned) was caused by incorrect memory initialization in the code for converting Boolean parameters to JIT. The vulnerability was fixed last October in the Firefox 106 release.
