On Monday, Google introduced emergency security updates to address a critical vulnerability in its Chrome web browser, which it announced is being exploited in real-time. Identified as CVE-2023-4863, the problem is characterized as a heap buffer overflow situation within the WebP image format, potentially leading to arbitrary code execution or a system crash.
The discovery and reporting of this flaw, on September 6, 2023, is attributed to Apple’s Security Engineering and Architecture (SEAR) and The University of Toronto’s Munk School’s Citizen Lab. While Google has not yet revealed further information regarding the nature of the attacks, it has confirmed that an exploit for CVE-2023-4863 is indeed being used in real-time.
With this latest patch, Google has resolved a total of four zero-day vulnerabilities in Chrome since the beginning of the year, including
This development occurred simultaneously with Apple’s extension of fixes to address CVE-2023-41064 for several devices and operating systems, including iOS 15.7.9 and iPadOS 15.7.9 – iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation), as well as macOS Big Sur 11.7.10 and macOS Monterey 12.6.9.
CVE-2023-41064 is associated with a buffer overflow problem in the Image I/O component that could facilitate arbitrary code execution when handling a maliciously crafted image. The Citizen Lab suggests that CVE-2023-41064 was used in combination with CVE-2023-41061, a validation issue in Wallet, as part of a zero-click iMessage exploit chain called BLASTPASS to deploy Pegasus on fully-updated iPhones running iOS 16.6.
Given that both CVE-2023-41064 and CVE-2023-4863 are centered around image processing and that both were reported by Apple and the Citizen Lab, there is a suggestion of a potential link between the two. To counter potential threats, users are advised to update to Chrome version 116.0.5845.187/.188 for Windows and 116.0.5845.187 for macOS and Linux. Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also encouraged to implement the fixes as they are released.