A serious security flaw in Google Chrome, which was discovered under active exploitation in the wild, is a new addition to the Cybersecurity and Infrastructure Agency’s Known Exploited vulnerabilities catalog. Credit: Shutterstock A vulnerability in an open source video codec used by a host of major browsers represents a serious security threat, the US Cybersecurity and Infrastructure Agency (CISA) says. The flaw affects web browsers that use the libvpx media library, a joint project between Google and the Alliance for Open Media. It received a common vulnerability rating of 8.8 on the CVSS v3 scale, meaning that it is characterized by experts as a “high” severity threat. A CISA announcement Monday said that there is evidence of the flaw being actively exploited, making this a zero-day threat. The vulnerability enables a type of buffer overflow attack, according to CISA. What this means is that, at some stage, the size of the memory buffer used to handle inputs isn’t set correctly, allowing a bad actor to craft a malicious input much larger than the buffer, which won’t be processed correctly, and could lead to a range of consequences. Buffer or heap overflow is a common target for malicious hackers, given the wide applicability of the technique. In this case, and in keeping with the exploit’s high severity score, the flaw may enable remote code execution, letting attackers deliver dangerous payloads onto vulnerable systems. “If you’re really clever, you can craft an exploit that gets into system memory,” said Christopher Rodriguez, a research director at IDC. “If it were a lower level [exploit], it might be limited to what parts of memory it can touch … maybe crash an application.” Patches have been issued by the companies behind most major browsers that run Chromium, including Google Chrome and Microsoft Edge. The libvpx codec is also present in Firefox, which has also been patched. Its severity means that organizations must stay on top of patching in order to avoid potentially serious consequences. (The CISA notice gives federal civilian agencies until October 23 to fully protect themselves against the flaw.) “The browser’s so powerful these days,” said Rodriguez. “So many applications work over the web, including SaaS and [business applications] designed for remote workers. Even sensitive data that goes into your personal browser can be an issue.” Rodriguez also urged the adoption of endpoint security measures to help defend against this type of zero-day attack. Related content feature Cyber resilience: A business imperative CISOs must get right With ransomware at an all-time high, companies need to understand that being cyber resilient means going beyond compliance to considering all aspects of a business, from operational continuity to software supply chain security. By Andrada Fiscutean May 16, 2024 12 mins Regulation Incident Response Supply Chain news analysis Microsoft fixes three zero-day vulnerabilities, two actively exploited The company’s Patch Tuesday includes fixes for flaws in Windows Desktop Window Manager, Windows MSHTML, and Visual Studio, among others, that IT security orgs should prioritize. By Lucian Constantin May 15, 2024 6 mins Windows Security Zero-day vulnerability brandpost Sponsored by Palo Alto Networks How you may be affected by the new proposed Critical Infrastructure Cyber Incident Reporting Rule The current cybersecurity regulatory landscape continues to evolve, and CIRCIA’s incident reporting requirements are just one of the many emerging regulations organizations will need to observe By Anand Oswal, Senior Vice President and GM of Network Security at Palo Alto Networks May 15, 2024 5 mins Security news Singing River ransomware attack now thought to have affected over 895,000 The health care provider has dramatically increased its estimate of the number of patients affected by the August 2023 attack. By Shweta Sharma May 15, 2024 4 mins Data Breach Ransomware PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe