Google has released security updates to address a zero-day vulnerability in the widely used web browser Chrome. Tracked as CVE-2023-4863, the CVE has been rated critical by Google. Google is aware of the active exploitation of the vulnerability.
CVE-2023-4863 is a Heap Buffer Overflow vulnerability in WebP image format. The vulnerability may allow an attacker to execute arbitrary code or crash the application. Google has not released any details regarding the exploit.
CISA has added the vulnerability to its Known Exploited Vulnerabilities Catalog and requested users to patch it before October 4, 2023.
Affected Versions
Google Chrome versions prior to 116.0.5845.187 are affected by the vulnerability.
Mitigation
Customers are requested to upgrade to the latest stable channel version, 116.0.5845.187 for Mac and Linux and 116.0.5845.187 for Windows. For more information, please refer to the Google Chrome security page.
One can perform a manual update by going to Settings > Help > About Google Chrome.
Qualys Detection
Qualys customers can scan their devices with QIDs 378848 and 378853 to detect vulnerable assets.
Microsoft has released the Microsoft Edge Stable Channel Version 116.0.1938.81 to address CVE-2023-4863, which the Chromium team has reported as being exploited in the wild.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html