Browser companies patch critical zero-day vulnerability

Google, Microsoft and Mozilla patched a critical zero-day vulnerability that affects browsers and is being actively exploited.

The critical heap buffer overflow flaw, tracked as CVE-2023-4863, was discovered and reported by Apple's Security Engineering and Architecture (SEAR) team as well as Citizen Lab on Sept. 6. The vulnerability was discovered in WebP, an image file format developed by Google and supported by other browser makers. The flaw affects Google Chrome versions prior to 116.0.5845.187 and allows a remote attacker to perform an out-of-bounds memory write through a malicious WebP image.

Google issued an emergency patch for CVE-2023-4863 on Monday. The advisory said updates for the stable and extended stable channels for Mac, Linux and Windows would be completed in the coming days or weeks. Microsoft and Mozilla released fixes for Edge and Firefox, respectively, the following day.

Attacks appear to be limited to Google Chrome for now; Mozilla's advisory said the company was "aware of this issue being exploited in other products in the wild." In addition to Firefox, Mozilla said the vulnerability affects Firefox ESR and Thunderbird products.

Separately, Microsoft urged its users to upgrade to the latest version of Microsoft Edge, which is Chromium-based. Microsoft also emphasized that the vulnerability was discovered in Chromium open source software (OSS), namely WebP. Ongoing problems to secure OSS have made it an increasing priority in the White House's cybersecurity initiatives.

While Google confirmed it's aware that an exploit for CVE-2023-4863 exists in the wild, attack details remain unknown as users scramble to patch.

"Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed," Google wrote in the security advisory.

CVE-2023-4863 is the latest zero-day vulnerability reported by Citizen Lab. Last week, researchers discovered an actively exploited zero-click iOS vulnerability that was used to deliver NSO Group's Pegasus spyware.

An investigation determined that an exploit chain, which Citizen Lab dubbed "Blastpass," involved two Apple vulnerabilities. Apple's SEAR team was also involved with the reporting process for the WebP vulnerability.

The first vulnerability that led to the deployment of spyware was a buffer overflow issue tracked as CVE-2023-41064, and the second was a validation issue that was assigned CVE-2023-41061. Apple said it was aware of reports that the vulnerabilities might have been actively exploited and urged users to patch.

Citizen Lab said Blastpass was discovered on the device of an employee with "a Washington DC-based civil society organization" and that it could be mitigated by Apple's Lockdown Mode. An investigation into the exploit chain continues, but researchers said it involved "PassKit attachments containing malicious images sent from an attacker iMessage account to the victim."

In 2021, Apple filed a lawsuit against NSO Group claiming that the vendor deliberately targeted Apple customers and products.

Arielle Waldman is a Boston-based reporter covering enterprise security news.