CarderPlanet
Professional
Google does not cope with the protection of Chrome and eliminates the fifth 0day in the browser.
Over the past few months, Google has been actively fighting security threats related to the Chrome browser. Another update aimed at eliminating vulnerabilities was released urgently due to the discovery of the fifth 0day vulnerability since the beginning of the year.
According to the company's statement, Google is aware that CVE-2023-5217 is actively exploited in real-world conditions. This vulnerability was fixed in Google Chrome version 117.0.5938.132 for Windows, Mac and Linux. In addition to the update, the browser will automatically check for new versions and install them after the next launch, so that all users receive the update.
Vulnerability CVE-2023-5217, classified as highly dangerous, is associated with a heap buffer overflow in VP8 encoding of the open video codec library libvpx from Google and the Alliance for Open Media (AOMedia). This flaw can lead to application crashes and arbitrary code execution. It is noted that the error was used to install spyware. The vulnerability was discovered by a security researcher from the Google TAG threat analysis group on September 25.
Despite Google's confirmation that the vulnerability CVE-2023-5217 was used in the attacks, the company has not yet provided additional information on the incidents. According to the statement, access to error details and related links may remain restricted until most users update their browsers. This approach will help prevent possible attacks in the future, especially as more technical details become available.
It's also worth noting that Google patched another zero-day vulnerability, CVE-2023-4863, just 2 weeks ago, which was the fourth case since the beginning of the year. At first, the company attributed the case to Chrome bugs, but then assigned a different CVE identifier (CVE-2023-5129) and a 10/10 hazard level, designating the flaw as a critical security threat in the libwebp library used by many projects, including Signal, 1Password, Mozilla Firefox, Microsoft Edge, Apple's Safari and the built-in Android web browser.
Over the past few months, Google has been actively fighting security threats related to the Chrome browser. Another update aimed at eliminating vulnerabilities was released urgently due to the discovery of the fifth 0day vulnerability since the beginning of the year.
According to the company's statement, Google is aware that CVE-2023-5217 is actively exploited in real-world conditions. This vulnerability was fixed in Google Chrome version 117.0.5938.132 for Windows, Mac and Linux. In addition to the update, the browser will automatically check for new versions and install them after the next launch, so that all users receive the update.
Vulnerability CVE-2023-5217, classified as highly dangerous, is associated with a heap buffer overflow in VP8 encoding of the open video codec library libvpx from Google and the Alliance for Open Media (AOMedia). This flaw can lead to application crashes and arbitrary code execution. It is noted that the error was used to install spyware. The vulnerability was discovered by a security researcher from the Google TAG threat analysis group on September 25.
Despite Google's confirmation that the vulnerability CVE-2023-5217 was used in the attacks, the company has not yet provided additional information on the incidents. According to the statement, access to error details and related links may remain restricted until most users update their browsers. This approach will help prevent possible attacks in the future, especially as more technical details become available.
It's also worth noting that Google patched another zero-day vulnerability, CVE-2023-4863, just 2 weeks ago, which was the fourth case since the beginning of the year. At first, the company attributed the case to Chrome bugs, but then assigned a different CVE identifier (CVE-2023-5129) and a 10/10 hazard level, designating the flaw as a critical security threat in the libwebp library used by many projects, including Signal, 1Password, Mozilla Firefox, Microsoft Edge, Apple's Safari and the built-in Android web browser.
