2 min Security

Multiple browsers patch actively exploited zero-day

Multiple browsers patch actively exploited zero-day

Chrome, Firefox, Microsoft Edge, Brave and Vivaldi web browsers are vulnerable to a zero-day exploit around the WebP image format. This vulnerability is reportedly already being actively exploited by hackers. Patches have since been implemented.

Several web browsers are vulnerable to the very critical zero-day exploit CVE-2023-4863, discovered by Apple and The Citizen Lab. This vulnerability affects the so-called WebP image format. This format developed by Google provides compression of video files to reduce the required storage capacity. It is an alternative to such well-known formats as JPEG, PNG and GIF.

A transformation from, for example, JPEG to WebP can result in about 30 percent less storage space. This allows websites to download the (video) file more easily. The format also supports both static images and animations, eliminating the need to store them in separate formats.

Heap buffer overflow possible cause

Little has been disclosed about the details of the vulnerability now found. More information may become available once all the patches are implemented in bulk.

According to Google, the exploit, especially for Chromium, causes a heap buffer overflow in memory, among other things. Operating systems allocate memory to browsers and other applications for their calculations. This memory, in turn, is divided into segments.

A heap buffer overflow occurs when a segment is allocated more data than it can handle. The excess data then overwrites the information stored in neighbouring segments. Hackers can exploit this vulnerability by overwriting sensitive components of an app or program with malicious code.

Patches available

Affected browsers include Chrome, Firefox, Microsoft Edge, Brave and Vivaldi. All responsible organizations behind the browsers have now implemented patches that fix the problem with the specific format.

Also read: Chrome extensions steal passwords in plain text