Google has released an update to fix a critical bug in its browser, Chrome. The tech giant says the flaw has been exploited in the wild.
“Google is aware that an exploit for CVE-2023-4863 exists in the wild,” the company said in an advisory, but refrained from detailing the precise nature of it.
Users in the stable and extended stable channels will be the first to receive the update. Google said other users will receive the patch in the coming days and weeks.
Google described the vulnerability, tracked as CVE-2023-4863, as a heap buffer overflow in WebP. In other words, too much data was going to a temporary storage area, potentially allowing a threat actor to leverage the flaw for arbitrary code execution – essentially, to mount a cyberattack.
The bug impacting Chrome was reported by Apple Security Engineering and Architecture (SEAR) and Citizen Lab at the University of Torontoʼs Munk School on September 9th, Google said.
“We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel,” reads the tech giant’s advisory.
The latest Chrome zero-day is the fourth of its kind Google has had to fix this year after the tech giant patched CVE-2023-2033, CVE-2023-2136, and CVE-2023-3079.
Last week, Citizen Lab discovered a zero-click vulnerability affecting Apple devices. “Zero-click” means the target doesn’t have to tap or click anything to trigger the attack. According to the researchers, the vulnerability was used to deliver NSO Group’s Pegasus spyware.
The Pegasus Project revealed that the spyware, made and licensed by NSO Group, had been used in attempted and successful hacks of smartphones belonging to journalists, government officials, and human rights activists.
More from Cybernews:
Subscribe to our newsletter