Google has issued an emergency Chrome update just days after Apple released iOS 16.6.1
Just days after Apple released iOS 16.6.1 to secure iPhones and iPads against a critical zero-day exploit involving ImageIO, Google has rushed out an emergency security update for Chrome users for a zero-day threat impacting the WebP image format.
The coincidences run deeper than both addressing critical malicious image creation exploits, though.
Are CVE-2023-4863, Blastpass, iOS, And Chrome Security Updates Connected?
Apple and Google remain tight-lipped when it comes to releasing technical details concerning such zero-days to prevent further exploits while users are still updating devices. However, as my colleague Kate O’Flaherty reported, CVE-2023-41064 is a vulnerability that “could allow an adversary to execute code via a maliciously crafted images,” which was used in an attack called BLASTPASS and “leveraged PassKit attachments containing malicious images” according to Citizen Lab.
The Chrome zero-day, CVE-2023-4863, is a heap buffer overflow issue in the WebP image format. Although there is no confirmation as of yet, an exploit could potentially enable a zero-click attack when visiting a website containing a malicious image. The BLASTPASS exploit was also a zero-click attack, capable of compromising iPhones without any interaction, according to the Citizen Lab report.
Coincidence? Possibly, but it has to be noted that the Citizen Lab report was dated September 7, and the Chrome zero-day was reported to Google on September 6. By the Apple Security Engineering and Architecture team and Citizen Lab, no less.
I have approached Apple, Citizen Lab, and Google for a statement and will update this article if any is forthcoming.
Update Your Chrome Browser Now
Meanwhile, Google has stated that Chrome updates to 116.0.5845.187 for Mac and Linux, and 116.0.5845.187/188 for Windows, will roll out across the coming days. Google also says that it is “aware that an exploit for CVE-2023-4863 exists in the wild.”
As such, and given that there appears to be a potential connection between the BLASTPASS spyware campaign and this emergency Chrome security update, all Chrome users are advised to update as soon as possible. Security updates are automatic, but it’s always best to check on your device to be sure that the fix has not only been downloaded but also activated. Head for the Help|About option to kickstart the update check process. Once a security update has been downloaded and installed, you will need to restart your browser to activate protection from this zero-day exploit.
Although it is not yet known if other Chromium-powered browsers such as Brave, Edge, Opera, and Vivaldi are impacted by this vulnerability, it would seem prudent to check these for security updates as well.
This post was created with our nice and easy submission form. Create your post!
