Google has urgently released security patches to address a critical vulnerability found in its Chrome web browser, which has already been exploited in real-world attacks. This vulnerability, known as CVE-2023-4863, is identified as a heap buffer overflow issue occurring within the WebP image format. Exploiting this flaw could lead to arbitrary code execution or crashes.

The discovery and report of this vulnerability came from Apple’s Security Engineering and Architecture (SEAR) and the Citizen Lab at the University of Toronto’s Munk School, on September 6, 2023. Google has not disclosed specific details about the attacks but has acknowledged that an active exploit for CVE-2023-4863 is in circulation.

This is not the first time Google has had to address security concerns in Chrome this year. The company has now fixed a total of four zero-day vulnerabilities in the browser since the beginning of the year:

CVE-2023-2033 (CVSS score: 8.8) – A Type Confusion issue in V8.
CVE-2023-2136 (CVSS score: 9.6) – An Integer overflow problem in Skia.
CVE-2023-3079 (CVSS score: 8.8) – Another Type Confusion vulnerability in V8.

Interestingly, on the same day, Apple also issued fixes for CVE-2023-41064, which affects various iOS and macOS versions. This vulnerability is associated with a buffer overflow problem in the Image I/O component, potentially allowing arbitrary code execution when processing maliciously crafted images.

According to reports from the Citizen Lab, CVE-2023-41064 was used alongside CVE-2023-41061, a validation issue in Wallet, as part of a zero-click iMessage exploit chain called BLASTPASS, which was used to deploy Pegasus on fully-patched iPhones running iOS 16.6. The fact that both CVE-2023-41064 and CVE-2023-4863 relate to image processing and were reported by Apple and the Citizen Lab hints at a possible connection between the two.

To protect themselves from potential threats, users are strongly advised to update to Chrome version 116.0.5845.187 or .188 for Windows and 116.0.5845.187 for macOS and Linux. Additionally, users of Chromium-based browsers like Microsoft Edge, Brave, Opera, and Vivaldi should apply these fixes as soon as they become available. 

IS YOUR BUSINESS IS AT RISK? Ongoing vulnerability scanning should be a standard within your environment and Managed IT Service contract. If not, you could go an unknown amount of time until you realize your business has a vulnerability and at that point it might be too late. 

What types of scans should I verify take place and how often?

At a minimum these should be conducted 1-2 times per year, but our team utilizes continuous scanning to ensure we are aware and patching applicable vulnerabilities as they come up. 

1. Network
2. Host-based
3. Wireless
4. Application
5. Database

We hope this information has helped provide some insight into protecting your business. If you ever need a second opinion, PCG systems is a managed IT service provider, with a wealth of knowledge on protecting your business. We are also providing no cost vulnerability assessments for a limited time.  Please click the button below to get your scan today.