In a year already fraught with cybersecurity threats, Google has yet again released an emergency security update to address a high-severity vulnerability, this time in its VP8 video encoding library. The update comes on the heels of a series of 0-day vulnerabilities, making this the fifth such issue Google has addressed in 2023. This vulnerability, identified as CVE-2023-5217, affects not just Google Chrome but all Chromium-based browsers and has been confirmed to be actively exploited in the wild.
Urgency of the Update
The VP8 vulnerability was reported by Clément Lecigne of Google’s Threat Analysis Group on September 25, 2023. Given the high severity rating and the actual exploitation of this heap buffer overflow issue, Chrome users are advised to install the update immediately. The latest stable version of Chrome, 117.0.5938.132, contains the fix and is available for all supported operating systems.
Although Google has been tight-lipped about specifics, another member of the Threat Analysis Group indicated on Twitter that a “commercial surveillance vendor” is exploiting this vulnerability. This raises concerns about the potential for spyware installations on user devices.
How to Update Chrome
To update Chrome on desktop systems, users can navigate to
Menu > Help > About Google Chrome, where the browser will automatically check for updates. Installation happens automatically, but a restart is required to complete the update.
For Android users, Google has released a version 117.0.5938.140 update distributed via Google Play. Unfortunately, Android doesn’t offer an option to speed up the update installation.
Other Vulnerabilities Patched
In addition to the VP8 encoding issue, Google also patched two other high-severity vulnerabilities in this Chrome update, related to “use after free” issues in passwords and extensions. These are identified as CVE-2023-5186 and CVE-2023-5187, respectively.
Impact on Other Browsers
It’s not just Chrome that’s at risk; other Chromium-based browsers like Microsoft Edge, Brave, Opera, and Vivaldi are also vulnerable. Some of these browsers may already have released updates to fix these security issues. Moreover, Firefox has also been noted to be affected by a similar vulnerability.
Lessons from Past Exploits
This VP8 bug incident is somewhat reminiscent of the WebP exploit that Google addressed earlier in September. Both involve heap buffer overflow vulnerabilities in libraries developed by Google. The WebP exploit was a heap buffer overflow bug in the libwebp library, highlighting the broader implications of such vulnerabilities in commonly-used libraries.
Navigating a Risky Landscape
In summary, given the continuous discovery of 0-day vulnerabilities and the escalating sophistication of cyberattacks, keeping software up-to-date has never been more critical. Google’s proactive approach to releasing emergency patches is commendable, but users must also play their part by updating their software as soon as possible.
Stay vigilant, stay updated, and stay secure.