Google kept itself in the security news this week by posting Wednesday that it had issued patches for a new actively exploited zero-day in the Chrome browser.
The new zero-day — CVE-2023-5217 — the fifth zero-day actively exploited in the wild that Google has patched this year, was described as a heap buffer overflow in vp8 encoding in the libvpx free codec library. The flaw was reported by Clément Lecigne of Google’s Threat Analysis Group on Monday.
…
The most recent zero-day comes on the heels of Google reporting this week on CVE-2023-5129, a critical vulnerability in the libwebp image library now considered a duplicate of CVE-2023-4863 that affects how images are processed, potentially allowing attackers to execute arbitrary code on affected systems. Guenther explained that it had a broad attack surface and its CVSS score was assigned as 10.0 by Google, while NIST rated it as a high severity 8.8.
…
Ashley Leonard, founder and CEO at Syxsense, added that CVE-2023-5129 is a vulnerability which has been newly revealed in the WebP image library, also referred to as the “0day in WebP.” Previously, this CVE (CVE-2023-4863) was thought to be specific to Google Chrome, but it has now been updated as a flaw in libwebp, explained Leonard.
