We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.
Advertising Disclosure

vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

Google Patches Vulnerability Exploited by Spyware

Google Patches Vulnerability Exploited by Spyware
Author Image Husain Parvez
Husain Parvez Published on 2nd October 2023 Cybersecurity Researcher

In a swift response to a critical security threat, Google has patched a zero-day vulnerability in its Chrome browser that was being actively exploited by a commercial spyware vendor. The vulnerability, identified as CVE-2023-5217, was a heap buffer overflow in vp8 encoding within the libvpx library.

The discovery of the vulnerability was credited to Clement Lecigne of Google’s Threat Analysis Group (TAG), who reported it just two days before the release of the patch. Google has been cautious about revealing specific details regarding the vulnerability, stating, "Access to bug details and links may be kept restricted until a majority of users are updated with a fix."

This vulnerability also potentially has far-reaching implications, as it could affect not only Chrome, but also other popular apps and platforms that utilize the affected open-source libwebp library. This includes 1Password, Firefox, Microsoft Edge, Safari, and Signal.

Maddie Stone, a TAG researcher, revealed in a post on X (formerly Twitter) that the vulnerability was being actively exploited by a commercial spyware vendor, though no further details were given.

The spyware market has seen significant growth as of late, with around 30 known commercial vendors offering sophisticated tools capable of remotely accessing smartphone data, activating microphones, tracking locations, and more. Despite assurances from such vendors regarding stringent controls, there have been increasing concerns about the misuse of such tools by authoritarian or repressive regimes.

The exploitation of such vulnerabilities by spyware vendors has already had international repercussions, with instances of spyware being deployed against political figures and civil society organizations. A notable example includes the use of Predator spyware, developed by Cytrox, against an Egyptian presidential candidate. These incidents raise critical questions about digital security, the ethical use of surveillance technologies, and the need for regulatory oversight.

According to BankInfoSecurity, this marks the fifth urgent security update rolled out by Google this year aimed at protecting Chrome users. This recent patch comes shortly after Google addressed another zero-day vulnerability, CVE-2023-4863.

About the Author

Husain Parvez is a Cybersecurity Researcher and News Writer at vpnMentor, focusing on VPN reviews, detailed how-to guides, and hands-on tutorials. Husain is also a part of the vpnMentor Cybersecurity News bulletin and loves covering the latest events in cyberspace and data privacy.