CISA Adds Google Chrome Zero-Day Vulnerability To KEV Catalog
Google Has Until October 23 To Secure the Vulnerability
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added a zero-day vulnerability affecting Google Chrome to its Known Exploited Vulnerabilities (KEV) catalog. This move comes after Google released a patch for the bug, identified as CVE-2023-5217, which was assigned a severity rating of 8.8 on the CVSS v3 scale.
The addition of this vulnerability to the KEV Catalog indicates that it poses a significant risk to the federal enterprise. As a result, agencies within the Federal Civilian Executive Branch (FCEB) have been given a three-week deadline, until October 23, to implement the recommended fixes.
The vulnerability in question is a heap buffer overflow vulnerability that affects VP8 encoding in libvpx, an open-source video codec library from the WebM Project.
While Google has not provided extensive details about the vulnerability or the exploit chain, they have stated that information will remain restricted until a majority of users have updated to the safe version of Chrome.
If the vulnerability continues to impact a third-party library that other projects rely on, details will continue to be withheld. However, it has been disclosed that the vulnerability can be exploited using a specially crafted HTML page and VP8 media stream to exploit heap corruption.
The heap is a common target for cybercriminals seeking to develop exploits for popular applications, alongside the stack. Successful exploitation of these vulnerabilities can result in crashes or the execution of arbitrary code on a victim's machine.
Global use of Google Chrome highlights the seriousness of vulnerabilities like these, particularly in the context of government-level IT. Malicious cyber actors frequently target such vulnerabilities as attack vectors, posing significant risks to organizations and individuals alike.
The U.S. government's swift action in adding this vulnerability to the KEV catalog and setting a deadline for remediation underscores the urgency of addressing it. By providing agencies with a clear timeline, CISA aims to ensure the timely implementation of the recommended fixes to mitigate potential risks.
Given the potential impact on the federal enterprise, it is crucial for all affected agencies to prioritize the patching process. This includes conducting thorough assessments of their systems, identifying instances of Google Chrome that require updates, and promptly applying the recommended fixes.
Users are encouraged to update their Chrome browsers to the latest version as soon as possible. Regularly updating software is a fundamental cybersecurity practice that helps protect against known vulnerabilities and ensures the use of the most secure versions of applications.
As the situation evolves, it is important for organizations and individuals to stay informed about the latest developments and guidance from reputable sources such as CISA and Google. By remaining vigilant and taking proactive measures to address vulnerabilities, we can collectively enhance our cybersecurity posture and protect against potential threats.