Google connected Monday rolled retired out-of-band information patches to code a captious information flaw successful its Chrome web browser that it said has been exploited successful the wild.
Tracked arsenic CVE-2023-4863, the contented has been described arsenic a lawsuit of heap buffer overflow that resides successful the WebP representation format that could effect successful arbitrary codification execution oregon a crash.
Apple Security Engineering and Architecture (SEAR) and the Citizen Lab astatine The University of Toronto's Munk School person been credited with discovering and reporting the flaw connected September 6, 2023.
The tech elephantine has yet to disclose further details astir the quality of the exploit, but noted that it's "aware that an exploit for CVE-2023-4863 exists successful the wild."
With the latest fix, Google has addressed a full of 4 zero-days successful Chrome since the commencement of the twelvemonth -
- CVE-2023-2033 (CVSS score: 8.8) - Type Confusion successful V8
- CVE-2023-2136 (CVSS score: 9.6) - Integer overflow successful Skia
- CVE-2023-3079 (CVSS score: 8.8) - Type Confusion successful V8
The improvement comes the aforesaid time Apple expanded fixes to remediate CVE-2023-41064 for the beneath devices and operating systems -
- iOS 15.7.9 and iPadOS 15.7.9 - iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod interaction (7th generation)
- macOS Big Sur 11.7.10 and macOS Monterey 12.6.9
CVE-2023-41064 relates to a buffer overflow contented successful the Image I/O constituent that could pb to arbitrary codification execution erstwhile processing a maliciously crafted image.UPCOMING WEBINAR
Way Too Vulnerable: Uncovering the State of the Identity Attack Surface
Achieved MFA? PAM? Service relationship protection? Find retired however well-equipped your enactment genuinely is against individuality threatsSupercharge Your Skills
According to the Citizen Lab, CVE-2023-41064 is said to person been utilized successful conjunction with CVE-2023-41061, a validation contented successful Wallet, arsenic portion of a zero-click iMessage exploit concatenation named BLASTPASS to deploy Pegasus connected fully-patched iPhones moving iOS 16.6.
The information that some CVE-2023-41064 and CVE-2023-4863 hinge astir representation processing and that the second has been reported by Apple and the Citizen Lab suggests determination could beryllium a imaginable transportation betwixt the two.
Users are recommended to upgrade to Chrome mentation 116.0.5845.187/.188 for Windows and 116.0.5845.187 for macOS and Linux to mitigate imaginable threats. Users of Chromium-based browsers specified arsenic Microsoft Edge, Brave, Opera, and Vivaldi are besides advised to use the fixes arsenic and erstwhile they go available.