Google has issued an emergency patch to address a critical vulnerability found in its Chrome web browser. The flaw, known as CVE-2023-4863, is a heap buffer overflow in the WebP image format. Exploiting this vulnerability can potentially result in arbitrary code execution or system crashes.
Though Google has not revealed specific details about the exploit, they have confirmed the existence of an active exploit in the wild. This indicates that hackers are actively taking advantage of the vulnerability. Consequently, users who have not updated their Chrome browser are at risk of being targeted.
This latest security patch from Google not only addresses CVE-2023-4863 but also tackles three additional zero-day vulnerabilities (CVE-2023-2033, CVE-2023-2136, CVE-2023-3079) that have been discovered earlier this year.
Another patched vulnerability, identified as CVE-2023-41064, also involves image processing. The connection between these two vulnerabilities is worth noting. CVE-2023-41064 is a buffer overflow issue in the Image I/O component, allowing for arbitrary code execution when processing a specially crafted image. It has been utilized alongside CVE-2023-41061 in an exploit chain named BLASTPASS to deploy the Pegasus spyware on fully-patched iPhones with iOS 16.6.
To safeguard against potential attacks, it is crucial for users to update their Chrome browser to version 116.0.5845.187/.188 for Windows and 116.0.5845.187 for macOS and Linux.
Users of other Chromium-based browsers, including Microsoft Edge, Brave, Opera, and Vivaldi, should also install the updates as soon as they are made available.