Google fixes another Chrome zero-day bug exploited in attacks

Google released emergency security updates to fix the fourth Chrome zero-day vulnerability exploited in attacks since the start of the year.

"Google is aware that an exploit for CVE-2023-4863 exists in the wild," the company revealed in a security advisory published on Monday.

The new version is currently rolling out to users in the Stable and Extended stable channels, and it's estimated that it will reach the entire user base over the coming days or weeks.

Chrome users are advised to upgrade their web browser to version 116.0.5845.187 (Mac and Linux) and 116.0.5845.187/.188 (Windows) as soon as possible, as it patches the CVE-2023-4863 vulnerability on Windows, Mac, and Linux systems.

This update was immediately available when BleepingComputer checked for new updates via the Chrome menu > Help > About Google Chrome.

The web browser will also check for new updates and automatically install them without requiring user interaction after a restart.

​Attack details not yet available

The critical zero-day vulnerability (CVE-2023-4863) is caused by a WebP code library (libwebp) heap buffer overflow weakness whose impact ranges from crashes to arbitrary code execution.

The bug was reported by Apple Security Engineering and Architecture (SEAR) and The Citizen Lab at The University of Toronto's Munk School last Wednesday, September 6.

Citizen Lab security researchers have often found and disclosed zero-day bugs abused in highly-targeted spyware attacks by government-backed threat actors targeting high-risk individuals such as opposition politicians, journalists, and dissidents worldwide.

On Thursday, Apple patched two zero-days tagged by Citizen Lab as being exploited in attacks as part of an exploit chain known as BLASTPASS to infect fully-patched iPhones with NSO Group's Pegasus mercenary spyware.

While Google said the CVE-2023-4863 zero-day has been exploited in the wild, the company has yet to share more details regarding these attacks.

"Access to bug details and links may be kept restricted until a majority of users are updated with a fix," Google said. "We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed."

This means that Chrome users can update their browsers to thwart attacks before the release of additional technical specifics, which could allow more threat actors to create their own exploits and deploy them in the wild.

Update September 12, 16:20 EDT: Mozilla also patched the CVE-2023-4863 zero-day today as it also affects the Firefox web browser (and other products using the libwebp library).