You should UPDATE chrome RIGHT NOW!

Tracked as CVE-2023-5217, the high-severity vulnerability has been described as a heap-based buffer overflow in the VP8 compression format in libvpx, a free software video codec library from Google and the Alliance for Open Media (AOMedia).

A heap-based buffer overflow occurs when a program fails to adequately control the memory space it utilizes for data storage. Think of it like a robotic arm that’s been programmed to write in a book. It tries to write a paragraph in the open area between two blocks of text. However, it doesn’t recognise when it should cease writing and inadvertently starts overwriting the existing block of text.

When this happens in a program’s memory, it can lead to crashes or even allow malicious hackers to take control of the program by over-writing valid code with their own malicious code. Making it a significant security concern.

Whats the extent of the vulnerability?

The VP8 WebM format is used in so much software around the world. It could leave a lot of programs open to attack, including Chrome, Firefox, Skype and VLC and even hardware-adjacent programs from AMD, Nvidia, and Logitech. Exactly which of those programs are vulnerable isn’t clear at the moment, but the potential is there for something wide-reaching and problematic.

This marks the fifth occasion this year that Google has needed to address an issue of this nature in Chrome. These problems are termed “zero-days”. Because they come to light when malicious individuals begin exploiting them, and solutions haven’t been implemented yet.

It’s also possible that another company called Cytrox used a similar problem in Chrome to spy on people, but we don’t know for sure.

To stay safe, it’s important to make sure your Chrome browser is updated to version 117.0.5938.132. This update will protect your computer from these kinds of problems. If you use browsers like Microsoft Edge, Brave, Opera, or Vivaldi, you should also update them when fixes are available.

Mozilla on Thursday released Firefox updates to fix CVE-2023-5217, noting that “specific handling of an attacker-controlled VP8 media stream could lead to a heap buffer overflow in the content process.” The issue has been resolved in versions Firefox 118.0.1, Firefox ESR 115.3.1, Firefox Focus for Android 118.1, and Firefox for Android 118.1.