Jump to content
  • Google fixes Chrome flaw exploited by spyware vendor

    aum

    • 303 views
    • 3 minutes
     Share


    • 303 views
    • 3 minutes

    Google said it is aware that an exploit for this vulnerability exists and that it will take days or weeks to roll out the patch to all users.

     

    Google has fixed a zero-day vulnerability that was actively exploited by a commercial spyware vendor.

     

    The flaw was first reported towards the end of August and was reported by Clément Lecigne of Google’s Threat Analysis Group (TAG) on 25 September. Google said it had patched this vulnerability two days later.

     

    The company said it is aware that an exploit for this vulnerability exists “in the wild”. Meanwhile, one security researcher with TAG said that the zero-day exploit was “in use by a commercial surveillance vendor”.

     

    The flaw is caused by a “heap buffer overflow” in the VP8 encoding in libvpx, a Google video codec library. These overflows can be used to “execute arbitrary code” and subvert security services, according to a Common Weakness Enumeration post.

     

    Google has released the patch for Windows, Mac and Linux users, but said it will take days or weeks until it is fully rolled out.

     

    “Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Google said in a blogpost. “We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven’t yet fixed.

     

    “We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.”

     

    Exploited by spyware vendors


    Zero-day flaws in software remain a constant concern, particularly as they can be exploited for the purposes of implanting spyware – such as Pegasus – onto vulnerable devices.

     

    Last week, Apple released a security update for its latest version of iOS, due to reports that the flaws may have been “actively exploited” by cyberattackers. A report from TAG the same week said an iPhone flaw was being used by commercial surveillance vendor Intellexa to install Predator spyware onto devices.

     

    Earlier this month, Apple released an security update to patch a zero-day vulnerability related to Pegasus spyware.

     

    That vulnerability was ‘zero-click’, which means that users do not need to click a link or do anything to have the spyware installed on their iPhones or iPads. It was identified a few weeks ago by Citizen lab researchers who were checking a Washington DC-based civil society organisation employee’s device.

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...