Google Patches Critical Chrome Flaw Linked to iOS Spyware Attack
It looks like a spyware attack that’s been targeting Apple iPhones can also compromise Google’s Chrome browser.
Google issued an emergency patch today for a critical flaw in Chrome while warning that hackers may already be exploiting the vulnerability to attack users.
Apple and the watchdog group Citizen Lab reported the vulnerability to Google—an indicator that the flaw is related to the recent spyware attack uncovered for iOS, macOS and watchOS.
The Citizen Lab at The University of Torontoʼs Munk School initially discovered the threat for Apple’s products while investigating a device that belonged to “an individual employed by a Washington, D.C.-based civil society organization with international offices.”
It turns out the device had been infected with the Pegasus spyware tied to NSO Group, an Israeli cyberarms provider known for selling to foreign governments and law enforcement groups. Specifically, the spyware leveraged two vulnerabilities in Apple software, CVE-2023-41064 and CVE-2023-41061, which involve using maliciously crafted files.
Although NSO Group didn’t respond to a request for comment, the company has been spotted upgrading Pegasus with new capabilities over the years, which could explain why the spyware was able to target the latest versions of iOS and now Google’s browser.
The critical flaw for Chrome, dubbed CVE-2023-4863, involves WebP, an image format that the browser supports. A bug can cause the software to flood data into the browser’s memory buffer when Chrome processes a maliciously crafted HTML page. The booby-trapped web page can be exploited to write data in the browser’s memory, where it’s normally not allowed to. This suggests the vulnerability could be packaged with a malicious
Read more on pcmag.com
