Google has released an emergency security update to patch an actively exploited vulnerability identified as CVE-2023-4863 in Chrome, making it the fourth zero-day found in the browser this year.
The company issued a security advisory on Monday, acknowledging the existence of an exploit for CVE-2023-4863 in the wild. The latest Google Chrome, version 116.0.5845.187 for Mac and Linux and 116.0.5845.187/.188 for Windows, has been rolled out to users in the Stable and Extended stable channels. It is expected to reach the entire user base over the coming days and weeks.
Users are strongly advised to upgrade their web browsers as soon as possible to protect their systems from potential threats associated with CVE-2023-4863. Users can access the Chrome menu > Help > About Google Chrome to check for updates. The browser will automatically search for and install updates after a restart.
CVE-2023-4863 is classified as a critical zero-day vulnerability and results from a WebP heap buffer overflow weakness, which can lead to a range of consequences, from system crashes to arbitrary code execution.
Apple Security Engineering and Architecture (SEAR) and The Citizen Lab at The University of Toronto’s Munk School were the first to report this bug on September 6. The Citizen Lab, renowned for uncovering zero-day vulnerabilities exploited in targeted spyware attacks by government-backed actors, often targets high-risk individuals such as politicians, journalists, and dissidents worldwide.
Google has not disclosed specific details about the attacks exploiting CVE-2023-4863. However, it has stated that access to bug details and links may remain restricted until most users have received the fix. This approach aims to prevent threat actors from developing their exploits based on the technical specifics of the vulnerability.
“Access to bug details and links may be kept restricted until most users are updated with a fix,” Google said. “We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on but haven’t yet fixed.”
Last week, Google patched 33 Android vulnerabilities, including a zero-day vulnerability. Apple also released security updates to patch two zero-day vulnerabilities that were exploited as a part of a sophisticated-zero click iMessage exploit chain named ‘BLASTPASS’.