A new zero-day vulnerability has been discovered in Google Chrome and Mozilla Firefox, two of the most popular web browsers in the world. The vulnerability, which is being actively exploited by hackers, could also affect many other software packages that use a common media encoding library.
The vulnerability, identified as CVE-2023-5217, is a heap buffer overflow in the VP8 encoding function of libvpx, a library that implements the WebM video format. A heap buffer overflow occurs when a program tries to write more data to a memory buffer than it can hold, causing the excess data to overwrite adjacent memory locations. This can lead to unexpected behavior, crashes, or even remote code execution, which means that an attacker can run arbitrary commands on the victim’s system.
The vulnerability was discovered by Clement Lecigne of Google’s Threat Analysis Group (TAG) on Monday, September 25, 2023, and reported to the libvpx developers and the affected vendors. Google and Mozilla released patches for Chrome and Firefox on Wednesday, September 27, 2023, and urged their users to update their browsers as soon as possible. The latest versions of Chrome and Firefox that contain the fix are 117.0.5938.132 and 118.0.1, respectively.
According to Google, the vulnerability is being exploited in the wild by a commercial surveillance vendor, which means that it is likely being used to spy on or compromise the targets of the vendor’s clients. However, Google did not provide any details about the nature or scope of the attacks, or who the victims or the attackers are.
The vulnerability is particularly dangerous because it affects not only Chrome and Firefox, but also any other software package that uses libvpx for VP8 encoding. VP8 is a video compression format that is widely used on the web, especially for WebRTC applications that enable real-time communication, such as video conferencing, voice calls, and screen sharing. Libvpx is the official reference implementation of VP8, and it is used by many software vendors and developers to support the format.
Some of the software packages that depend on libvpx include Skype, Adobe Flash Player, VLC Media Player, Android, and various drivers and utilities from AMD, Nvidia, and Logitech. However, not all of these packages are necessarily vulnerable to CVE-2023-5217, as the vulnerability only affects the encoding function of libvpx, not the decoding function. This means that only software packages that allow users to create or upload VP8 videos are at risk, not those that only play or display them.
Nevertheless, the potential impact of the vulnerability is still very large, as it could affect millions of users and devices across different platforms and sectors. For example, a malicious website could exploit the vulnerability to execute code on the visitors’ browsers, or a rogue application could exploit the vulnerability to take over the users’ devices. Moreover, the vulnerability could also be used to bypass the security mechanisms of other software packages that rely on libvpx, such as sandboxing or encryption.
The discovery of CVE-2023-5217 is the second time in less than a month that a zero-day vulnerability has been found in a widely used media encoding library. On September 11, 2023, Google disclosed CVE-2023-4863, a buffer overflow in the WebP image format, which is also supported by libvpx. The vulnerability affected both encoding and decoding functions of WebP, and it was also being exploited in the wild. Google and Mozilla patched their browsers for CVE-2023-4863 on September 13, 2023.
These two incidents highlight the importance of securing the media encoding libraries that are used by many software packages, as they can pose a significant threat to the security and privacy of users and organizations. The developers and vendors of these libraries should conduct regular and rigorous security audits and testing of their code, and fix any flaws or bugs as soon as possible. They should also provide timely and accurate information to their customers and the public about the vulnerabilities and patches of their products, and ensure that they are widely and easily available.
The users and administrators of the software packages that use these libraries should also be vigilant and proactive in updating their software to the latest versions that contain the security fixes. They should also monitor their systems and networks for any signs of compromise or intrusion, and report any suspicious or malicious activity to the relevant authorities. They should also follow the best practices and guidelines for securing their devices and data, such as using strong passwords, enabling multi-factor authentication, and avoiding clicking on unknown links or attachments.