Google fixes another Chrome zero-day bug exploited in attacks

Trending 2 weeks ago

Google Chrome

Google released emergency information updates to hole nan 4th Chrome zero-day vulnerability exploited successful attacks since nan commencement of nan year.

"Google is alert that an utilization for CVE-2023-4863 exists successful nan wild," nan institution revealed successful a security advisory published connected Monday.

The caller type is presently rolling retired to users successful nan Stable and Extended unchangeable channels, and it's estimated that it will scope nan full personification guidelines complete nan coming days aliases weeks.

Chrome users are advised to upgrade their web browser to type 116.0.5845.187 (Mac and Linux) and 116.0.5845.187/.188 (Windows) arsenic soon arsenic possible, arsenic it patches nan CVE-2023-4863 vulnerability connected Windows, Mac, and Linux systems.

This update was instantly disposable erstwhile BleepingComputer checked for caller updates via nan Chrome paper > Help > About Google Chrome.

The web browser will besides cheque for caller updates and automatically instal them without requiring personification relationship aft a restart.

Google Chrome 116.0.5845.187

​Attack specifications not yet available

The captious zero-day vulnerability (CVE-2023-4863) is caused by a WebP heap buffer overflow weakness whose effect ranges from crashes to arbitrary codification execution.

The bug was reported by Apple Security Engineering and Architecture (SEAR) and The Citizen Lab astatine The University of Toronto's Munk School past Wednesday, September 6.

Citizen Lab information researchers person often recovered and disclosed zero-day bugs abused successful highly-targeted spyware attacks by government-backed threat actors targeting high-risk individuals specified arsenic guidance politicians, journalists, and dissidents worldwide.

On Thursday, Apple patched 2 zero-days tagged by Citizen Lab arsenic being exploited successful attacks arsenic portion of an utilization concatenation known arsenic BLASTPASS to infect fully-patched iPhones with NSO Group's Pegasus mercenary spyware.

While Google said nan CVE-2023-4863 zero-day has been exploited successful nan wild, nan institution has yet to stock much specifications regarding these attacks.

"Access to bug specifications and links whitethorn beryllium kept restricted until a mostly of users are updated pinch a fix," Google said. "We will besides clasp restrictions if nan bug exists successful a 3rd statement room that different projects likewise dangle on, but haven't yet fixed."

This intends that Chrome users tin update their browsers to thwart attacks earlier nan merchandise of further method specifics, which could let much threat actors to create their ain exploits and deploy them successful nan wild.