Google released an urgent security update for its Chrome browser. The patch contains the fix for CVE-2023-4863, a heap buffer overflow vulnerability that can simply be exploited. Actually, Google states that this vulnerability has already been used in the wild. The breach affects browser builds for all supported OS – Mac, Linux and Windows.
Google Chrome Vulnerability Exploited in the Wild
The bug with heap buffer, that made the CVE-2023-4863 possible, is related to the way Chrome handles WebP images. By default, Windows assigns the browser as a way to display images of that format, and it remains unchanged in the vast majority of cases. Thus, the potential audience of exploitation is humongous – Chrome retains its monopoly on the browser market. WebP, at the same time, steadily substitutes “classic” image formats.
Originally, the flaw became known on September 6, 2023, after the corresponding research by Apple SEAR and Citizen Lab at The University of Toronto was sent to Google. The company, however, hesitates with publishing more extensive information upon the case. All that is known now is that the buffer overflow bug that happens during the WebP image reading can allow for arbitrary code execution. Alternatively, the browser may simply crash – which is to be expected with buffer overflow bugs. On the CVE MITRE resource, the exploit is listed though lacks any details besides the basics I’ve already mentioned.
How Critical CVE-2023-4863 is?
Arbitrary/remote code execution bugs are quite common to receive highest marks on exploit severity ratings. And when combined with eased in-the-wild usage and large selection of targets, the threat becomes truly massive. Millions of people use Chrome on a daily basis, and facing WebP images is common as well. Hackers can try to do whatever they want to millions of users, by simply sending the specifically crafted image.
Protect Yourself Against Chrome Exploits
Despite Google being sluggish with publishing the way the exploit works, they are fast on updates. The updates 116.0.5845.187/.188 for Windows (Stable/Extended) and 116.0.5845.187 for Mac have the vulnerability fixed. Updating the browser is plain and simple – go to Settings, and get down to the About Chrome button. Clicking it will initiate the browser update checkup, and if there is a newer version available – you’ll receive it.
But what can you do to avoid falling victim to exploits that were not uncovered and/or patched? Zero-trust is the only option that gives you reliable protection against such exploits. Its name is self-explanatory – solutions with such a policy treat any program as potentially dangerous. However, solutions with such a policy are mostly oriented towards corporate clients. And overall, negatives of having a paranoiac security solution in your system overwhelm situational profits. For individual users, I’d recommend looking for other options.
Your own awareness gives you a great advantage. The vast majority of phishing attacks bear on a single supposement – the victim will be too ignorant and reckless to notice the incoming fraud. And what can be more pleasant than crushing fraudsters’ hopes? Sure, this requires knowledge of what exactly you should seek, but these tips will do you a great service even away from scam avoidance.