Google, Microsoft and Mozilla push browser updates to foil zero-day

A zero-day in Google’s Chrome browser was first reported by surveillance researchers at The Citizen Lab and Apple, but also affects other browsers

Google, Microsoft and Mozilla have all moved to patch a critical zero-day flaw affecting their browsers and potentially linked to the dissemination of malicious commercial spyware.

The vulnerability in question has been assigned the designation CVE-2023-4863. It is a heap-based buffer overflow flaw that enables a remote attacker to perform an out-of-bounds memory write via a crafted malicious HTML page.

It was found in the WebP codec, a Google-developed image file format that is supported by other browsers, hence Microsoft and Mozilla’s subsequent actions.

Google said it had updated the Stable and Extended stable channels for Chrome to 116.0.5845.187 for Mac and Linux, and 116.0.5845.187/.188 for Windows, to roll out over the coming days.

“We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel,” said Srinivas Sista, technical program manager for Google Chrome. “Google is aware that an exploit for CVE-2023-4863 exists in the wild.”

Microsoft said the issue affected Microsoft Edge versions prior to 116.0.1938.81, and advised users to update to this version or later.

Mozilla said the impacted versions of Firefox, Firefox ESR and Thunderbird are Firefox 117.01, Firefox ESR 1-2.15.1, Firefox ESR 115.2.1, Thunderbird 102.15.1 and Thunderbird 115.2.2. It additionally confirmed it was aware of exploits in the wild.

Paul Bischoff, consumer privacy advocate at Comparitech, explained that buffer overflow attacks are a “classic” cyber attack resulting in the overflowing data being executed or causing the system to crash.

“If attackers can trick victim devices into executing arbitrary code, then that would allow them to launch any number of follow-on attacks to infiltrate systems, escalate privileges, plant malware and steal data,” he said.

“We don’t know all of the details of the WebP exploits currently in the wild, but it seems likely government organisations and CNI [critical national infrastructure] could be in danger if they use the affected browsers and fail to update them,” said Bischoff.

In an indication of its impact, CVE-2023-4863 has already been added to CISA’s Known Exploited Vulnerabilities (KEV) catalogue, obliging US government organisations to apply the patches before 4 October. Although this mandate has no official or legal standing beyond the American government, it provides a clear signal that all users should prioritise remediation efforts.

Additionally, there are also indications that the impact of the issue extends far beyond the realm of web browsers, and also affects any software that uses the libwebp library, which includes a number of mobile apps built on the Electron software development framework including 1Password, Discord, Dropbox, Signal, Skype, Slack, Microsoft Teams and Twitch. Electron has also issued a patch. According to Alex Ivanovs of StackDiary, the vulnerability had been “falsely- marked as Chrome-only buy Mitre and other organisations” and as such, widely reported to only affect browsers initially.

Stand-up citizens

CVE-2023-4863 is the latest in a string of zero-days disclosed by The Citizen Lab at the University of Toronto’s Munk School – in this instance working alongside Apple Security Engineering and Architecture (SEAR).

Prior to last weekend, Apple had already fixed two other zero-click zero-days in its iOS mobile operating system that were allegedly being exploited to distribute commercial spyware created by NSO Group. NSO is an Israeli spyware manufacturer linked to malicious state surveillance, notably the murder of journalist Jamal Khashoggi by the Saudi Arabian authorities, who worked for the Washington Post and was killed at the Saudi consulate in Istanbul in 2018.

In the latest development in its ongoing investigation of NSO Group’s activities, Citizen Lab this week published new details of an investigative collaboration with Access Now, revealing how the iPhone of Galina Timchenko was hacked by a customer of NSO using its Pegasus spyware.

Timchenko is an award-winning Russian journalist and co-founder of the independent and outlawed Meduza media outlet, who was forced to flee her home due to her opposition to the Putin regime and now lives in Latvia. Her organisation contacted Access Now in June after she was informed by Apple that state-sponsored threat actors may be targeting her device. The investigation found that her smartphone had become infected with NSO’s Pegasus spyware on or around 10 February, while she was attending a seminar in Berlin.

NSO purposefully designs Pegasus to obfuscate who is using it, so firm attribution of the incident to Russia is not necessarily a done deal – the European Union (EU) PEGA Committee of Inquiry to investigate the use of Pegasus and equivalent surveillance spyware believes there to be 14 state operators of Pegasus within the EU itself, including both Germany and Latvia.

This article was edited at 13:40 BST on Thursday 14 September 2023 to incorporate new information on the extent of the issue.

Read more about state surveillance

Read more on Hackers and cybercrime prevention