The U.S.'s Cybersecurity and Infrastructure Security Agency (CISA) has acknowledged the new zero-day vulnerability in Google Chrome and formalized it in its Known Exploited Vulnerabilities (KEV) Catalog. The bug, identified as CVE-2023-5217, was patched by Google last week, with a severity rating of 8.8 on the CVSS v3 scale.
CVSS stands for Common Vulnerability Scoring System, which is a free and open industry standard for assessing the severity of computer system security vulnerabilities. CVSS scores are mapped to different severity ratings: None: 0.0, Low: 0.1 – 3.9, Medium: 4.0 – 6.9, High: 7.0 – 8.9, and Critical: 9.0 – 10.0.
This Google Chrome bug is considered a “significant risk to the federal enterprise,” posing a substantial threat to agencies within the Federal Civilian Executive Branch (FCEB). A three-week deadline, until October 23, has been set for applying the necessary remediation.
The vulnerability is a heap buffer overflow issue involving VP8 encoding in libvpx, an open source video codec library linked to the WebM Project. Although Google has yet to release comprehensive details about the vulnerability or the exploit chain, it has confirmed that the vulnerability could be exploited using a specially devised HTML page and VP8 media stream.
Extent of The Risk: Widespread Effect of the Vulnerability
The vulnerability isn't restricted to just Google Chrome. Other open-source packages that are dependent on libvpx, amounting to 29 as listed by Arch Linux, have also been implicated. Notably, Microsoft's Chromium-based Edge browser was initially susceptible to the flaw. However, both its latest stable and extended stable versions, 117.0.2045.47 and 116.0.1938.98, respectively, have been fixed.
Microsoft has also confirmed that “certain versions” of Microsoft Teams and Skype are vulnerable to CVE-2023-5217. The company is actively working to identify and address the vulnerability.
Debian has responded by releasing security updates for its oldstable (bullseye) and stable (bookworm). Users are advised to upgrade to versions 1.9.0-1+deb11u1 and 1.12.0-1+deb12u1 respectively to protect against CVE-2023-5217.
A previous vulnerability in September, tracked as CVE-2023-4863, bears similarity to the current one. This was also a heap buffer overflow issue, with an identical severity score of 8.8, but affecting libwebp, a different open-source library developed by Google.
Urgent Updates Needed
While the deadlines outlined in the KEV Catalog are directly applicable to FCEB agencies, CISA recommends all organizations to apply the suggested fixes promptly. Google has urged users to install their stable channel update for Windows, Mac, and Linux – version 117.0.5938.132 – which will be rolled out progressively over the coming days and weeks.
In terms of the previous vulnerability, CVE-2023-4863, CISA had set a deadline of October 4 to apply the patches. This earlier bug also had a wide impact, given libwebp's popularity among major browsers such as Firefox, Thunderbird, Microsoft Edge, Opera, and Brave.
