Coverage and Recommendation for Lookout Admins
Lookout strongly suggests all mobile device users turn on the app auto-update capability on their respective devices. Lookout admins should proactively enable the vulnerability protection policy in the Lookout console and configure it with the appropriate remediation actions that align with their organization’s response workflows. Lookout will detect on the following out-of-date app versions for Firefox as of October 5th and Chrome as of October 12th.
- Chrome for Android (com.android.chrome) versions lower than 117.0.5938.140 will be detected as Chrome-CVE-2023-5217
- Firefox for Android (org.mozilla.firefox) versions lower than 118.1.0 will be detected as Firefox-CVE-2023-5217
- Firefox Focus for Android (org.mozilla.focus) versions lower than 118.1.0 will be detected as FirefoxFocus-CVE-2023-5217
There has recently been a vulnerability disclosed in libvpx, which is a video codec library from Google and the Alliance for Open Media. The vulnerability, which is tracked as CVE-2023-5217, affects multiple browsers that use libvpx including Chrome, Firefox, and Firefox Focus for Android. Since the vulnerability is most likely to be exploited remotely using web-hosted content, it was given a CVSS score of 8.8/10.
Since this vulnerability is being actively exploited in the wild and could enable remote code execution, CISA has made it a requirement for government organizations to patch it by October 23rd, 2023. The patched versions of the affected apps are available on Google Play.
This vulnerability is a heap buffer overflow in the vp8 encoding in libvpx and could allow a remote attacker to exploit heap corruption via a maliciously-crafted HTML page. The most likely way for an attacker to exploit this vulnerability would be to send their target a link to a malcrafted webpage in hopes that the target still has a vulnerable version of Chrome or Firefox on their device.
It’s common for attackers to try to take advantage of the window between when a vulnerability is disclosed and when apps are updated, as anyone who does not have automatic app updates turned on could be exploitable for days or even weeks. A successful exploit may grant a threat actor access to the vulnerable browser’s capabilities without needing to root the device. In the case of Chrome, for example, this includes access to contacts, the device’s microphone, on-device identity, the camera, media files, and more.
Related Threat Discoveries
iOS 16.7 & 17.0.2
Apple released iOS 16.7.1 and 17.0.3 to patch vulnerabilities that were reportedly being exploited in the wild.