In the News: Google patches new zero-day actively exploited in the Chrome browser
Published originally by SCMedia and Steve Zurier on September 28,2023.

Google kept itself in the security news this week by posting Wednesday that it had issued patches for a new actively exploited zero-day in the Chrome browser.

The new zero-day — CVE-2023-5217 — the fifth zero-day actively exploited in the wild that Google has patched this year, was described as a heap buffer overflow in vp8 encoding in the libvpx free codec library. The flaw was reported by Clément Lecigne of Google’s Threat Analysis Group on Monday.

The most recent zero-day comes on the heels of Google reporting this week on CVE-2023-5129, a critical vulnerability in the libwebp image library now considered a duplicate of CVE-2023-4863 that affects how images are processed, potentially allowing attackers to execute arbitrary code on affected systems. Guenther explained that it had a broad attack surface and its CVSS score was assigned as 10.0 by Google, while NIST rated it as a high severity 8.8.

Ashley Leonard, founder and CEO at Syxsense, added that CVE-2023-5129 is a vulnerability which has been newly revealed in the WebP image library, also referred to as the “0day in WebP.” Previously, this CVE (CVE-2023-4863) was thought to be specific to Google Chrome, but it has now been updated as a flaw in libwebp, explained Leonard.

Read the full story on SCMedia.