Google Chrome zero-day jumps onto CISA’s known vulnerability list

A vulnerability in an open source video codec used by a host of major browsers represents a serious security threat, the US Cybersecurity and Infrastructure Agency (CISA) says.

The flaw affects web browsers that use the libvpx media library, a joint project between Google and the Alliance for Open Media. It received a common vulnerability rating of 8.8 on the CVSS v3 scale, meaning that it is characterized by experts as a “high” severity threat. A CISA announcement Monday said that there is evidence of the flaw being actively exploited, making this a zero-day threat.

The vulnerability enables a type of buffer overflow attack, according to CISA. What this means is that, at some stage, the size of the memory buffer used to handle inputs isn’t set correctly, allowing a bad actor to craft a malicious input much larger than the buffer, which won’t be processed correctly, and could lead to a range of consequences. Buffer or heap overflow is a common target for malicious hackers, given the wide applicability of the technique.

In this case, and in keeping with the exploit’s high severity score, the flaw may enable remote code execution, letting attackers deliver dangerous payloads onto vulnerable systems.

“If you’re really clever, you can craft an exploit that gets into system memory,” said Christopher Rodriguez, a research director at IDC. “If it were a lower level [exploit], it might be limited to what parts of memory it can touch … maybe crash an application.”

Patches have been issued by the companies behind most major browsers that run Chromium, including Google Chrome and Microsoft Edge. The libvpx codec is also present in Firefox, which has also been patched. Its severity means that organizations must stay on top of patching in order to avoid potentially serious consequences. (The CISA notice gives federal civilian agencies until October 23 to fully protect themselves against the flaw.)

“The browser’s so powerful these days,” said Rodriguez. “So many applications work over the web, including SaaS and [business applications] designed for remote workers. Even sensitive data that goes into your personal browser can be an issue.”

Rodriguez also urged the adoption of endpoint security measures to help defend against this type of zero-day attack.