It looks like a spyware attack that’s been targeting Apple iPhones can also compromise Google’s Chrome browser.
Google issued an emergency patch today for a critical flaw in Chrome while warning that hackers may already be exploiting the vulnerability to attack users.
Apple and the watchdog group Citizen Lab reported the vulnerability to Google—an indicator that the flaw is related to the recent spyware attack uncovered for iOS, macOS and watchOS.
The Citizen Lab at The University of Torontoʼs Munk School initially discovered the threat for Apple’s products while investigating a device that belonged to “an individual employed by a Washington, D.C.-based civil society organization with international offices.”
It turns out the device had been infected with the Pegasus spyware tied to NSO Group, an Israeli cyberarms provider known for selling to foreign governments and law enforcement groups. Specifically, the spyware leveraged two vulnerabilities in Apple software, CVE-2023-41064 and CVE-2023-41061, which involve using maliciously crafted files.
Although NSO Group didn’t respond to a request for comment, the company has been spotted upgrading Pegasus with new capabilities over the years, which could explain why the spyware was able to target the latest versions of iOS and now Google’s browser.
The critical flaw for Chrome, dubbed CVE-2023-4863, involves WebP, an image format that the browser supports. A bug can cause the software to flood data into the browser’s memory buffer when Chrome processes a maliciously crafted HTML page. The booby-trapped web page can be exploited to write data in the browser’s memory, where it’s normally not allowed to. This suggests the vulnerability could be packaged with a malicious email or web page to launch rogue computer code on the victim’s Chrome browser session, like downloading malware from the internet.
Google’s patch is arriving for Mac, Linux, and Windows users as “116.0.5845.187/.188.” The fix is scheduled to roll out in the coming days and weeks, although we received the patch today. To do so, go to the “About Chrome” tab to automatically receive the update or visit Google's support page on how to download the patches.
On Monday, Apple also released a patch for older iPhones to protect users from the threat.
