Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

GOOGLE FIXED THE FIFTH CHROME ZERO-DAY OF 2023

Google released security updates to address a new actively exploited zero-day vulnerability, tracked as CVE-2023-5217, in the Chrome browser. Google on Wednesday released security updates to address a new actively exploited zero-day flaw in the Chrome browser which is tracked as CVE-2023-5217. The CVE-2023-5217 is a high-severity heap buffer overflow that affects vp8 encoding in […]

Google Chrome Gemini Live

Google released security updates to address a new actively exploited zero-day vulnerability, tracked as CVE-2023-5217, in the Chrome browser.

Google on Wednesday released security updates to address a new actively exploited zero-day flaw in the Chrome browser which is tracked as CVE-2023-5217.

The CVE-2023-5217 is a high-severity heap buffer overflow that affects vp8 encoding in libvpx. The vulnerability was discovered by Clément Lecigne from Google’s Threat Analysis Group on 2023-09-25, a circumstance that suggests it was exploited by a nation-state actor or by a surveillance firm.

“High CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx. Reported by Clément Lecigne of Google’s Threat Analysis Group on 2023-09-25″ reads the advisory published by Google. “Google is aware that an exploit for CVE-2023-5217 exists in the wild.”

Google TAG researcher Maddie Stone highlighted that the issue was addressed in only two days after the initial discovery, she also confirmed the exploitation by a commercial spyware vendor.

An attacker can trigger the flaw to cause the application to crash or to execute arbitrary code.

This is the fifth actively exploited zero-day vulnerability in Chrome addressed by Google this year, the other ones are:

  • CVE-2023-2033 (CVSS score: 8.8) – Type Confusion in V8
  • CVE-2023-2136 (CVSS score: 9.6) – Integer overflow in the Skia graphics library
  • CVE-2023-3079 (CVSS score: 8.8) – Type Confusion in V8
  • CVE-2023-4863 (CVSS score: 8.8) – Heap buffer overflow in WebP

Users are recommended to upgrade to Chrome version 117.0.5938.132 for Windows, macOS, and Linux to address the zero-day.

Google also addressed this month the following vulnerabilities in the Chrome browser:

  • [$TBD][1478889] High CVE-2023-5186: Use after free in Passwords. Reported by [pwn2car] on 2023-09-05
  • [$2000][1475798] High CVE-2023-5187: Use after free in Extensions. Reported by Thomas Orlita on 2023-08-25

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Chrome)