9.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.611 Medium
EPSS
Percentile
97.8%
Google on Monday rolled out out-of-band security patches to address a critical security flaw in its Chrome web browser that it said has been exploited in the wild.
Tracked as CVE-2023-4863, the issue has been described as a case of heap buffer overflow that resides in the WebP image format that could result in arbitrary code execution or a crash.
Apple Security Engineering and Architecture (SEAR) and the Citizen Lab at the University of Toronto’s Munk School have been credited with discovering and reporting the flaw on September 6, 2023.
The tech giant has yet to disclose additional details about the nature of the attacks, but noted that it’s “aware that an exploit for CVE-2023-4863 exists in the wild.”
With the latest fix, Google has addressed a total of four zero-day vulnerabilities in Chrome since the start of the year -
The development comes the same day Apple expanded fixes to remediate CVE-2023-41064 for the below devices and operating systems -
CVE-2023-41064 relates to a buffer overflow issue in the Image I/O component that could lead to arbitrary code execution when processing a maliciously crafted image.
UPCOMING WEBINAR
[Way Too Vulnerable: Uncovering the State of the Identity Attack Surface
](<https://thehacker.news/identity-attack-surface?source=inside>)
Achieved MFA? PAM? Service account protection? Find out how well-equipped your organization truly is against identity threats
According to the Citizen Lab, CVE-2023-41064 is said to have been used in conjunction with CVE-2023-41061, a validation issue in Wallet, as part of a zero-click iMessage exploit chain named BLASTPASS to deploy Pegasus on fully-patched iPhones running iOS 16.6.
The fact that both CVE-2023-41064 and CVE-2023-4863 hinge around image processing and that the latter has been reported by Apple and the Citizen Lab suggests there could be a potential connection between the two.
Users are recommended to upgrade to Chrome version 116.0.5845.187/.188 for Windows and 116.0.5845.187 for macOS and Linux to mitigate potential threats. Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
9.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.611 Medium
EPSS
Percentile
97.8%