Google's Chrome gets caught with its WebP down, offers hasty patch-up

Google has rushed retired a hole for a vulnerability successful its Chrome browser, noting that an utilization already exists successful nan wild.

The hunt elephantine has followed Apple successful hurriedly issuing an update successful consequence to investigation from The Citizen Lab astatine The University of Toronto's Munk School. It besides credited nan Apple Security Engineering and Architecture (SEAR) squad for nan report.

The captious vulnerability, CVE-2023-4863, is related to a heap buffer overflow successful WebP. WebP, according to Google, "is a modern image format that provides superior lossless and lossy compression for images connected nan web." Sadly, it besides appears to beryllium a boon for malware distributors.

Google has updated nan Stable and Extended channels for Chrome to 116.0.5845.187 for Mac and 116.0.5845.187/.188 for Windows. The Extended Stable transmission will rotation retired complete nan coming days aliases weeks.

As good arsenic being natively supported successful different Chromium browsers, specified arsenic Edge and Opera, WebP is utilized successful respective different devices and image editors. We asked Microsoft if Edge was besides affected and will update should nan institution respond.

Other than acknowledging that an utilization already existed successful nan wild, Google was tight-lipped regarding nan specifics of nan exploit, saying only: "Access to bug specifications and links whitethorn beryllium kept restricted until a mostly of users are updated pinch a fix."

It added: "We will besides clasp restrictions if nan bug exists successful a third-party room that different projects likewise dangle connected but haven't yet fixed."

• Apple races to spot nan latest zero-day iPhone exploit
• High severity vuln successful WinRAR could let codification to tally erstwhile files are opened
• Microsoft: Patch this terrible Outlook bug that Russian miscreants exploited
• Rackspace blames ransomware woes connected zero-day attack

Vivaldi developer and information master Tarquin Wilton-Jones told The Register: “Vivaldi tracks Chromium updates very closely, and for information fixes, either nan update aliases a spot is taken in, and released arsenic soon arsenic possible, sometimes wrong a mates of days, sometimes moreover nan aforesaid day.”

He added: “A hole has been included for this peculiar rumor successful nan astir caller Vivaldi update.”

An utilization of a buffer overflow tends to consequence successful a clang aliases nan execution of arbitrary code. Last week, Apple dealt pinch 2 issues: CVE-2023-41061 and CVE-2023-41064. The second was besides a buffer overflow rumor successful an image component. Citizen Lab referred to nan utilization arsenic BLASTPASS, which required nary relationship from nan personification for Pegasus spyware to beryllium downloaded upon receipt of a malicious image.

While Google has been ray connected specifics, nan in installments fixed to nan reporters of CVE-2023-4863, arsenic good arsenic nan timing and type, indicates location could beryllium a relationship betwixt this and nan rumor Apple patched past week.

Either way, pinch an utilization already retired successful nan wild, validating and applying nan spot erstwhile it becomes disposable would look to beryllium nan prudent approach. ®