Google patches zero-day exploited by commercial spyware vendor
Google has rushed to patch a zero-day vulnerability in Chrome that was exploited by a commercial spyware vendor.
The vulnerability was reported to the Chrome team by Clement Lecigne of Google’s Threat Analysis Group (TAG) just two days before the patch was released. Google said it is aware that an exploit for the vulnerability, tracked as CVE-2023-5217 and described as a “heap buffer overflow in vp8 encoding in libvpx”, exists in the wild.
Google’s advisory does not provide any further information about attacks exploiting the zero-day. “Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” the company said.
Google TAG did not immediately respond to TechCrunch’s questions, but TAG researcher Maddie Stone said in a post on X, previously Twitter, that the Chrome vulnerability had been exploited to install spyware.
The vulnerability is fixed in Google Chrome 117.0.5938.132, which is rolling out now to Windows, Mac, and Linux users in the Stable Desktop channel.
Just last week, Google TAG revealed that three zero-days recently patched by Apple were pushed out to block an exploit used to plant the Predator spyware on the phone of an Egyptian presidential candidate. Predator is a spyware developed by Cytrox, a controversial commercial spyware vendor, that can steal the contents of a victim’s phone once installed.
The release of an emergency patch for Chrome comes just weeks after Google fixed another actively exploited zero-day that that was discovered by Apple’s Security Engineering and Architecture (SEAR) team and Citizen Lab, a digital rights organization at The University of Toronto that has investigated spyware for more than a decade.
This vulnerability was initially misidentified as a Chrome vulnerability, but Google has since assigned it to the open-source libwebp library used to encode and decode images in WebP format. This reclassification has ramifications for numerous and popular apps using libwebp, which includes 1Password, Firefox, Microsoft Edge, Safari and Signal.
Security researchers have linked the vulnerability, which was given a maximum 10/10 severity rating, to the zero-click iMessage exploit chain, named BLASTPASS, used to deploy the NSO Group’s Pegasus spyware on compromised iPhones.
BLASTPASS was used against a member of a civil society organization in Washington, D.C., according to Citizen Lab’s Bill Marczak, who discovered the exploit. Speaking at TechCrunch Disrupt last week, Marczak said: “The root of the vulnerability was a bug in Google’s WebP image library, which is integrated into the iPhone. Attackers found some way to exploit this to run arbitrary code within Apple’s iMessage sandbox to install spyware on the system.”