Google Quickly Fixes Zero-Day Exploited By Spyware Vendor


Google has taken swift action to fix a zero-day vulnerability in its Chrome browser that was being exploited by a commercial spyware vendor. The vulnerability, known as CVE-2023-5217, was reported to Google’s Chrome team by Clement Lecigne of the Threat Analysis Group just two days before the patch was released. Google confirmed that the exploit was being used in the wild.

Key Takeaway

A zero-day vulnerability in Google Chrome, exploited by a commercial spyware vendor, has been promptly patched by Google. The vulnerability allowed the installation of malicious software and its specific details remain undisclosed.

Details of the Zero-Day Exploit

The zero-day vulnerability, described as a “heap buffer overflow in vp8 encoding in libvpx,” allowed the spyware vendor to install malicious software on victims’ systems. The specific details of the attacks exploiting the vulnerability were not disclosed in Google’s advisory. The company stated that access to bug details and links would be restricted until a majority of users had updated with the fix.

Rollout of the Patch

The vulnerability has been fixed in the latest version of Google Chrome, version 117.0.5938.132. The patch is currently being rolled out to Windows, Mac, and Linux users in the Stable Desktop channel.

Previous Zero-Day Exploits

This emergency patch for Google Chrome comes shortly after Google fixed another zero-day vulnerability, which was initially misidentified as a Chrome vulnerability but was later assigned to the open-source libwebp library. This vulnerability affected popular apps such as 1Password, Firefox, Microsoft Edge, Safari, and Signal. Additionally, Apple recently patched three zero-days that were used to exploit an Egyptian presidential candidate’s phone with the Predator spyware developed by Cytrox, another commercial spyware vendor.

Google’s swift action in fixing these vulnerabilities demonstrates their commitment to user security and highlights the continuous cat-and-mouse game between cybercriminals and technology companies. It also emphasizes the importance of regularly updating software to ensure protection against the latest threats.

Leave a Reply

Your email address will not be published. Required fields are marked *