A mysterious surveillance company is exploiting a new flaw in the Chrome browser to attack users, according to a Google security researcher.
Google security researcher Clément Lecigne discovered the threat on Monday, which prompted the company to issue an emergency patch since an exploit for the vulnerability existed "in the wild." Google security researcher Maddie Stone tweeted that the bug was "in use by a commercial surveillance vendor," but she did not name the company.
Google rated the threat as a “high” severity bug. The vulnerability, dubbed CVE-2023-5217, involves how the Chrome browser processes the VP8 video compression format. It can trigger a “heap buffer overflow” in a VP8 library, meaning data can be overwritten in the browser’s adjacent memory locations. Such errors can be exploited to execute rogue computer code, like triggering a browser to open a hacker-controlled web page or to download malware.
The fix arrives as the security community has spotted a surge in zero-day exploits from commercial spyware companies. Earlier this month, Google patched a separate flaw in Chrome that appeared to be tied to the notorious surveillance NSO Group, a company that sells spyware to foreign governments.
For CVE-2023-5217, Google released the patch through Chrome version 117.0.5938.132 for Windows, macOS, and Linux. To receive the fix, the browser should nudge you to do so by showing an “update” button in the upper-right corner of the browser. But you can also download it manually by going to the “About Chrome” tab to automatically receive the update or visiting Google's support page on how to download the patches.
Microsoft’s Edge, which uses Google’s Chromium engine, might also be susceptible to the flaw. But the company’s security page has not yet mentioned it.
