Google has rushed out a fix for a vulnerability in its Chrome browser, noting that an exploit already exists in the wild.

The search giant has followed Apple in hurriedly issuing an update in response to research from The Citizen Lab at The University of Toronto's Munk School. It also credited the Apple Security Engineering and Architecture (SEAR) team for the report.

The critical vulnerability, CVE-2023-4863, is related to a heap buffer overflow in WebP. WebP, according to Google, "is a modern image format that provides superior lossless and lossy compression for images on the web." Sadly, it also appears to be a boon for malware distributors.

Google has updated the Stable and Extended channels for Chrome to 116.0.5845.187 for Mac and 116.0.5845.187/.188 for Windows. The Extended Stable channel will roll out over the coming days or weeks.

As well as being natively supported in other Chromium browsers, such as Edge and Opera, WebP is used in several different tools and image editors. We asked Microsoft if Edge was also affected and will update should the company respond.

Other than acknowledging that an exploit already existed in the wild, Google was tight-lipped regarding the specifics of the exploit, saying only: "Access to bug details and links may be kept restricted until a majority of users are updated with a fix."

It added: "We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on but haven't yet fixed."

Vivaldi developer and security expert Tarquin Wilton-Jones told The Register: “Vivaldi tracks Chromium updates very closely, and for security fixes, either the update or a patch is taken in, and released as soon as possible, sometimes within a couple of days, sometimes even the same day.”

He added: “A fix has been included for this particular issue in the most recent Vivaldi update.”

An exploit of a buffer overflow tends to result in a crash or the execution of arbitrary code. Last week, Apple dealt with two issues: CVE-2023-41061 and CVE-2023-41064. The latter was also a buffer overflow issue in an image component. Citizen Lab referred to the exploit as BLASTPASS, which required no interaction from the user for Pegasus spyware to be downloaded upon receipt of a malicious image.

While Google has been light on specifics, the credit given to the reporters of CVE-2023-4863, as well as the timing and type, indicates there could be a connection between this and the issue Apple patched last week.

Either way, with an exploit already out in the wild, validating and applying the patch when it becomes available would appear to be the prudent approach. ®

https://www.theregister.com//2023/09/12/chrome_browser_webp_exploit/