There’s a new zero-day exploit for some of the world’s most popular software out there, and according to Google, it’s being actively attacked in the wild. Google’s security research says that the vulnerability comes from a widely-used media encoding system for the WebM file format. It could leave a ton of programs open to attack, from Chrome and Firefox to Skype and VLC, across more or less every major operating system. Update Chrome immediately for a patch.
Google documents the bug as a high-profile security issue, labeled “CVE-2023-5217.” “Heap buffer overflow in vp8 encoding in libvpx” is the description, and if you haven’t sunk proficiency points into software jargon, that means that in specific situations it’s possible for a program to record more data to a memory buffer than it’s designed for. That can cause it to overwrite other data, which the program generally can’t account for, opening up unforeseen security issues.
If you need a Star Trek-style metaphor, imagine it as pouring too much cake batter into a mold, and the spilled-over batter catches fire in the oven. The cake batter is your data, the oven is any piece of software, and the fire is…bad stuff that malicious hackers can take advantage of. Hey, I didn’t say it was perfect.
Ars Technica notes that Mozilla has already confirmed that Firefox is vulnerable to the same issue, and that the VP8 WebM format is used in so much software around the world that this could turn into a major headache. We’re talking everything from long-established business tools like Skype, to user-favorite applications like VLC, to hardware-adjacent programs from AMD, Nvidia, and Logitech. Exactly which of those programs are vulnerable isn’t clear at the moment, but the potential is there for something wide-reaching and problematic.
The bad news is that this vulnerability is being exploited in the wild already, though Google isn’t being specific about where or how. The good news is that it appears to be a simple patch, since both Chrome (version 117) and Firefox (118) have already done so. Some more good news is that specific vulnerability appears to exist only when media is encoded, not decoded, so the list of programs affected may not extend to every single one that uses the libvpx library.