Apple Security Engineering and Architecture (SEAR) and the Citizen Lab at The University of Toronto’s Munk School have been credited with discovering and reporting the flaw on September 6, 2023.
The tech giant has yet to disclose additional details about the nature of the exploit, but noted that it’s “aware that an exploit for CVE-2023-4863 exists in the wild.”
With the latest fix, Google has addressed a total of four zero-days in Chrome since the start of the year –
The development comes the same day Apple expanded fixes to remediate CVE-2023-41064 for the below devices and operating systems –
CVE-2023-41064 relates to a buffer overflow issue in the Image I/O component that could lead to arbitrary code execution when processing a maliciously crafted image.
According to the Citizen Lab, CVE-2023-41064 is said to have been used in conjunction with CVE-2023-41061, a validation issue in Wallet, as part of a zero-click iMessage exploit chain named BLASTPASS to deploy Pegasus on fully-patched iPhones running iOS 16.6.
The fact that both CVE-2023-41064 and CVE-2023-4863 hinge around image processing and that the latter has been reported by Apple and the Citizen Lab suggests there could be a potential connection between the two.
Users are recommended to upgrade to Chrome version 116.0.5845.187/.188 for Windows and 116.0.5845.187 for macOS and Linux to mitigate potential threats. Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.