A zero-day vulnerability related to the video codec 'VP8' has been discovered, Chrome and Firefox have implemented security updates, and there are cases where it has already been exploited.

Google's Chrome development team updated the desktop version of Chrome on September 27, 2023 to address security vulnerabilities. The vulnerabilities fixed in this update include

a zero-day vulnerability related to the video codec `` VP8 '', and cases of this vulnerability being exploited have already been confirmed.

Chrome Releases: Stable Channel Update for Desktop

Google fixes fifth actively exploited Chrome zero-day of 2023

A new Chrome 0-day is sending the Internet into a new chapter of Groundhog Day | Ars Technica

The Chrome security update released by Google includes a total of 10 security fixes, and one of the most important is a zero-day vulnerability called CVE-2023-5217 . CVE-2023-5217 is a buffer overflow in the encoding of VP8 that incorporates the open source video codec library ' libvpx '.

CVE-2023-5217 was discovered by Clement Lecine , a security researcher who belongs to the Threat Analysis Group (TAG), a threat analysis team operated by Google. CVE-2023-5217 is already being exploited by commercial monitoring software vendors, and Google has acknowledged that an exploit using CVE-2023-5217 actually exists.

According to security researcher Hossein Lotfi, this vulnerability occurs because VP8 allows the number of threads to be changed after the encoder is created.

In addition, the impact of the VP8 zero-day vulnerability is not limited to Chrome, but security updates for the vulnerability have also been implemented in the desktop and Android versions of Firefox developed by Mozilla.

Security Vulnerability fixed in Firefox 118.0.1, Firefox ESR 115.3.1, Firefox for Android 118.1.0, and Firefox Focus for Android 118.1.0. — Mozilla

This vulnerability is believed to be caused by libvpx built into VP8, but Will Dorman, senior principal analyst at cyber solutions company Analysis, said, ``The fact that the package depends on libvpx... That doesn't necessarily mean it's vulnerable. This vulnerability is about VP8 encoding, and if you're only using libvpx for decoding, you don't need to worry.' However, there may be packages other than Chrome and Firefox that are affected by this zero-day vulnerability.

Technology media Ars Technica said, ``It will probably take a few more days for the full extent of CVE-2023-5217 to become clear. ``What exactly does it take to exploit software that uses the library?'' did not immediately respond via email.''

in Software,   Web Service,   Security, Posted by log1h_ik