Zero-day Vulnerability Exploited Commercial Spyware Vendor Patched By Google

A zero-day vulnerability in Chrome, which was exploited by a commercial spyware vendor, has been promptly addressed by Google. The Chrome team received a report about the vulnerability from Clement Lecigne of Google’s Threat Analysis Group (TAG) just two days before the release of the patch. Google acknowledged the existence of an exploit for the vulnerability, identified as CVE-2023-5217 and described as a “heap buffer overflow in vp8 encoding in libvpx,” in the wild.

Google’s advisory refrains from offering further details about the attacks utilizing the zero-day, stating that “Access to bug details and links may be kept restricted until a majority of users are updated with a fix.”

While Google TAG did not immediately respond to inquiries from TechCrunch, TAG researcher Maddie Stone disclosed in a post on X, previously Twitter, that the Chrome vulnerability had been exploited to deploy spyware.

.@_clem1 discovered another ITW 0-day in use by a commercial surveillance vendor: CVE-2023-5217. Thank you to Chrome for releasing a patch in TWO 🤯day!! https://t.co/QhzJonwLXi

— Maddie Stone (@maddiestone) September 27, 2023

The vulnerability has been resolved in Google Chrome 117.0.5938.132, which is currently being rolled out to Windows, Mac, and Linux users in the Stable Desktop channel.

Notably, Google TAG recently disclosed that Apple patched three zero-days to thwart an exploit used to inject the Predator spyware onto the phone of an Egyptian presidential candidate. Predator is developed by Cytrox, a contentious commercial spyware vendor capable of stealing a victim’s phone contents once installed.

“The WebP 0day” — a full technical analysis the recently patched vulnerability in the WebP image library that was exploited in the wild (CVE-2023-4863). https://t.co/6yUcE9sOZa

— Ben Hawkes (@benhawkes) September 21, 2023

This release of an emergency patch for Chrome comes just weeks after Google rectified another actively exploited zero-day that had initially been misidentified as a Chrome vulnerability. Google subsequently reassigned it to the open-source libwebp library, which is employed for encoding and decoding images in the WebP format. This reclassification has implications for various popular apps, including 1Password, Firefox, Microsoft Edge, Safari, and Signal. The vulnerability, rated with a maximum severity score of 10/10, has been linked to the zero-click iMessage exploit chain known as BLASTPASS, used to deploy the NSO Group’s Pegasus spyware on compromised iPhones.

Citizen Lab’s Bill Marczak, who uncovered the exploit, revealed that the root of the vulnerability resided in Google’s WebP image library, which is integrated into the iPhone. Attackers discovered a method to exploit this flaw, allowing them to execute arbitrary code within Apple’s iMessage sandbox and subsequently install spyware on the system.