Video Encoding Library Leaves Chrome, Firefox and More Open to Zero-Day Attack

We Keep you Connected

Video Encoding Library Leaves Chrome, Firefox and More Open to Zero-Day Attack

Video Encoding Library Leaves Chrome, Firefox and More Open to Zero-Day Attack
Your email has been sent
Google and Mozilla have patched the zero-day vulnerability, which originates in the libvpx library.
Google and Mozilla have patched a zero-day exploit in Chrome and Firefox, respectively. The zero-day exploit was being used by a commercial spyware vendor. The zero-day exploit could leave users open to a heap buffer overflow, through which attackers could inject malicious code. Any software that uses VP8 encoding in libvpx or is based on Chromium (including Microsoft Edge) might be affected, not just Chrome or Firefox.
If you use Chrome, update to 117.0.5938.132 when it becomes available; Google Chrome says it may take “days/weeks” for all users to see the update. In Firefox, the exploit is patched in Firefox 118.0.1, Firefox ESR 115.3.1, Firefox Focus for Android 118.1 and Firefox for Android 118.1.
Jump to:
The zero-day exploit is technically a heap buffer overflow in VP8 encoding in libvpx, which is a video code library developed by Google and the Alliance for Open Media. It is widely used to encode or decode videos in the VP8 and VP9 video coding formats.
“Specific handling of an attacker-controlled VP8 media stream could lead to a heap buffer overflow in the content process,” the Firefox team wrote in their security advisory.
From there, the vulnerability “allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page,” said the official Common Vulnerabilities and Exposures site.
SEE: Attackers built a fake Bitwarden password manager site to deliver malware targeting Windows (TechRepublic)
The exploit is being tracked by Google as CVE-2023-5217. Clément Lecigne, a security researcher at Google’s Threat Analysis Group, found the flaw on September 25, leading to a patch on September 27.
“A commercial surveillance vendor” was actively using the exploit, researcher Maddie Stone of Google’s Threat Analysis Group noted on X.
There is not a lot more information available about the zero-day exploit at this time. “Google is aware that an exploit for CVE-2023-5217 exists in the wild,” the company wrote in the Chrome release update.
The Chrome update including the fix remediates nine other vulnerabilities.
“In this case, a browser-based exploit tied to libpvx will raise a few eyebrows as it can crash the browser and execute malicious code – at the permissions level the browser was running at,” said Rob T. Lee, chief curriculum director and head of faculty at the SANS Institute and a former technical advisor to the U.S. Department of Justice, in an email to TechRepublic. “That gives some comfort, but many exploits can do much more – including implants to allow remote access.”
IT leaders should communicate to employees that they should keep their browsers updated and remain aware of possible vulnerabilities. Another heap buffer overflow attack last week affected a variety of software using the WebP Codec, so it’s generally a good time to emphasize the importance of updates. Information on whether libvpx might be patched is not yet available, Ars Technica reported on Sept. 28.
“Implementing layered security and defense-in-depth strategies enable optimum mitigation of zero-day threats,” said Mozilla interim Head of Security John Bottoms in an email to TechRepublic.
“It is hard to prepare for organizations to prevent [zero-day exploits], similar to a decent social engineering attempt – the best you can do is shore up your logfiles and ensure that forensic evidence exists that can be traced back for months (if not years on critical systems),” said Lee. “Some tools can detect zero-days on the fly, including detections built into the operating system, but many of these sometimes degrade system performance.”
TechRepublic also reached out to Google for comment. At the time of publication, we have not received a reply.
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Video Encoding Library Leaves Chrome, Firefox and More Open to Zero-Day Attack
Your email has been sent
TechRepublic Premium content helps you solve your toughest IT issues and jump-start your career or next project.
Microsoft is also running a grant competition for ideas on using AI training in community building.
Generative AI will be a game changer in cloud security, especially in common pain points like preventing threats, reducing toil from repetitive tasks, and bridging the cybersecurity talent gap.
Does your business need a payroll provider that offers international payroll services? Use our buyer’s guide to review the best solutions, from ADP to Oyster.
Get up and running with ChatGPT with this comprehensive cheat sheet. Learn everything from how to sign up for free to enterprise use cases, and start using ChatGPT quickly and effectively.
Looking for an alternative to monday.com? Our comprehensive list covers the best monday alternatives, their key features, pricing, pros, cons and more.
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
TechRepublic Premium was at Confluent’s Current 2023 event, held in San Jose, California, September 26-27. Our coverage of the event comprises an analysis of data streaming, interviews, the role of stream governance and a look at Apache Flink. From the download: Confluent used the Current 2023 ‘next generation of Kafka Summit’ event in San Jose …
Fintech is a fast changing landscape that constantly introduces cutting-edge ideas and developments. TechRepublic Premium presents this quick glossary of fintech terms and concepts to help you understand technological breakthroughs and make educated decisions. From the glossary: DECENTRALIZED FINANCE Often referred to as DeFi, this utilizes emerging technology to remove third parties and central financial …
Money laundering poses a detrimental impact on businesses and the economy as a whole. According to the United Nations Office on Drugs and Crimes, the amount of money laundered around the world in a single year is presumed to be 2–5% of global GDP, which is roughly $800 billion to $2 trillion. The purpose of …
Modern video games rely on a cornucopia of sounds to engage and engross players. Whether it is ambient sound to set the mood, music to invoke a feeling or dialog to tell the story, sound is vital to the immersive experience of a video game. The individual responsible for meshing all those disparate sounds together …

source

GET THE LATEST UPDATES, OFFERS, INFORMATION & MORE