A zero-day vulnerability related to the video codec 'VP8' has been discovered, Chrome and Firefox have implemented security updates, and there are cases where it has already been exploited.
Google's Chrome development team updated the desktop version of Chrome on September 27, 2023 to address security vulnerabilities. The vulnerabilities fixed in this update include
Chrome Releases: Stable Channel Update for Desktop
https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_27.html
Google fixes fifth actively exploited Chrome zero-day of 2023
https://www.bleepingcomputer.com/news/security/google-fixes-fifth-actively-exploited-chrome-zero-day-of-2023/
A new Chrome 0-day is sending the Internet into a new chapter of Groundhog Day | Ars Technica
https://arstechnica.com/security/2023/09/new-0-day-in-chrome-and-firefox-is-likely-to-plague-other-software/
The Chrome security update released by Google includes a total of 10 security fixes, and one of the most important is a zero-day vulnerability called CVE-2023-5217 . CVE-2023-5217 is a buffer overflow in the encoding of VP8 that incorporates the open source video codec library ' libvpx '.
CVE-2023-5217 was discovered by Clement Lecine , a security researcher who belongs to the Threat Analysis Group (TAG), a threat analysis team operated by Google. CVE-2023-5217 is already being exploited by commercial monitoring software vendors, and Google has acknowledged that an exploit using CVE-2023-5217 actually exists.
According to security researcher Hossein Lotfi, this vulnerability occurs because VP8 allows the number of threads to be changed after the encoder is created.
New Google Chrome In-The-Wild vulnerability used by a commercial surveillance vendor is a buffer overflow in vp8 encoding in libvpx (CVE-2023-5217 [1486441]) and happens due to allowing thread count change after encoder creation: https:// t.co/CrswteBsh3 https://t.co/VirTxQQoKm
— Hossein Lotfi (@hosselot) September 28, 2023
In addition, the impact of the VP8 zero-day vulnerability is not limited to Chrome, but security updates for the vulnerability have also been implemented in the desktop and Android versions of Firefox developed by Mozilla.
Security Vulnerability fixed in Firefox 118.0.1, Firefox ESR 115.3.1, Firefox for Android 118.1.0, and Firefox Focus for Android 118.1.0. — Mozilla
https://www.mozilla.org/en-US/security/advisories/mfsa2023-44/
This vulnerability is believed to be caused by libvpx built into VP8, but Will Dorman, senior principal analyst at cyber solutions company Analysis, said, ``The fact that the package depends on libvpx... That doesn't necessarily mean it's vulnerable. This vulnerability is about VP8 encoding, and if you're only using libvpx for decoding, you don't need to worry.' However, there may be packages other than Chrome and Firefox that are affected by this zero-day vulnerability.
Technology media Ars Technica said, ``It will probably take a few more days for the full extent of CVE-2023-5217 to become clear. ``What exactly does it take to exploit software that uses the library?'' did not immediately respond via email.''
Related Posts:
in Software, Web Service, Security, Posted by log1h_ik