Google said it is aware that an exploit for this vulnerability exists and that it will take days or weeks to roll out the patch to all users.
Google has fixed a zero-day vulnerability that was actively exploited by a commercial spyware vendor.
The flaw was first reported towards the end of August and was reported by Clément Lecigne of Google’s Threat Analysis Group (TAG) on 25 September. Google said it had patched this vulnerability two days later.
The company said it is aware that an exploit for this vulnerability exists “in the wild”. Meanwhile, one security researcher with TAG said that the zero-day exploit was “in use by a commercial surveillance vendor”.
The flaw is caused by a “heap buffer overflow” in the VP8 encoding in libvpx, a Google video codec library. These overflows can be used to “execute arbitrary code” and subvert security services, according to a Common Weakness Enumeration post.
Google has released the patch for Windows, Mac and Linux users, but said it will take days or weeks until it is fully rolled out.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Google said in a blogpost. “We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven’t yet fixed.
“We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.”
Exploited by spyware vendors
Zero-day flaws in software remain a constant concern, particularly as they can be exploited for the purposes of implanting spyware – such as Pegasus – onto vulnerable devices.
Last week, Apple released a security update for its latest version of iOS, due to reports that the flaws may have been “actively exploited” by cyberattackers. A report from TAG the same week said an iPhone flaw was being used by commercial surveillance vendor Intellexa to install Predator spyware onto devices.
Earlier this month, Apple released an security update to patch a zero-day vulnerability related to Pegasus spyware.
That vulnerability was ‘zero-click’, which means that users do not need to click a link or do anything to have the spyware installed on their iPhones or iPads. It was identified a few weeks ago by Citizen lab researchers who were checking a Washington DC-based civil society organisation employee’s device.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.