Google fixes sixth 2024 Chrome Zero-Day (CVE-2024-4671)

Naveen May 11, 2024

Zero-day Chrome


Google fixed a significant security flaw in Chrome. This year, Google fixed this Chrome zero-day vulnerability five times, demonstrating their continued efforts to combat online dangers.
This is a succinct overview:


  • Vulnerability Type: Chrome zero-day (CVE-2024-4671), a "use-after-free" flaw in the Chrome browser's Visuals (content display) module.
  • Severity: High; may result in data leaks, code execution, and browser crashes.
  • Indeed, this vulnerability was exploited by attackers.
  • Install the most recent version of Chrome for security. Although Google Chrome typically updates automatically, you can manually check the settings.

The most recent zero-day vulnerability in Chrome


  • Google has released its fifth 2024 patch.
  • An attacker can take control of your browser, execute malicious code, or steal data thanks to this serious security flaw.
  • The "Visuals" component of Chrome, which shows content, is vulnerable.
  • Google is aware of attacks using exploits that are taking place in the wild.
  • It is imperative that you update Chrome as soon as possible to the most recent version (124.0.6367.201/.202 for Mac and Windows, 124.0.6367.201 for Linux) in order to protect yourself.
  • The Chrome update that addressed the fifth Chrome zero-day vulnerability this year was released rather recently, despite the fact that it isn't made obvious in the material I found.
  • Articles discussing the upgrade are dated May 10, 2024, indicating that the release occurred on or around that date.

Zero-day vulnerability in Chrome


In fact, what it knows about the fifth Chrome zero-day vulnerability that Google has fixed is as follows:

One possible weakness is "use-after-free." Software that doesn't properly release memory can be used by attackers.

Component: Chrome's "Visuals" component. This Chrome area regulates how content is displayed in your browser.
High severity—an 8.8 out of 10 grade. This points to a significant weakness that could be exploited for nefarious purposes.

Abuse: When in the wild, taken advantage of. This suggests that attackers were already using this vulnerability to launch attacks prior to the patch's release.

The patched versions of Chrome 124.0.6367.201/.202 (Mac & Windows) and 124.0.6367.201 (Linux) are available for download.

Advice:


  • Update Chrome to the most recent version as soon as you can. Despite the fact that Chrome updates automatically most of the time, you can manually check for updates by selecting Settings > About Chrome.
  • To keep up with new vulnerabilities, make sure you follow reputable security news sites.

Zero-day Google Chrome 2024


  • Sources claim that Google has patched the fifth zero-day vulnerability in Chrome for this year (2024). What is recognised as follows:
  • Regularity: Google has been actively combating zero-day vulnerabilities, as evidenced by the patching of this sixth issue in 2024.
  • Severity: Due to its high categorization of severity, hackers might be able to utilise it to steal your information, run malicious software, or bring your browser to a complete stop.
  • Technical details Particularly problematic is Chrome's "Visuals" component, which manages how material appears on your screen.
  • Prior to the fix, Google confirmed that attackers were using this vulnerability "in the wild."

Chrome's most recent zero-day version


For your own safety, you must update Chrome to the most recent version:

  • 202 or 124.0.6367.201 for Mac and Windows
  • Linux: 124.0.6367.201 (this address will probably be modified over the next few days)
  • Even though Chrome updates automatically most of the time, you may manually check for updates by going to Settings > About Chrome.

Zero-day vulnerabilities in Chrome


  • Zero-day vulnerabilities in Chrome have been resolved as follows:
  • CVE-2024-0519: An extremely serious out-of-bounds memory access vulnerability in the JavaScript engine of Chrome V8 that enables remote attackers to use heap corruption in conjunction with a well constructed HTML page to extract sensitive information.

High-severity misunderstanding bug CVE-2024-2887 in WebAssembly (Wasm). RCE attacks can be initiated by malicious HTML webpages.

Web applications encode and decode audio and video using the WebCodecs API, which is vulnerable to the use-after-free vulnerability CVE-2024-2886. By using specifically designed HTML websites, attackers might remotely execute code.

Extremely severe Out-of-bounds read vulnerability in the JavaScript engine of Chrome V8 (CVE-2024-3159). Through careful HTML site design, remote attackers were able to take advantage of this vulnerability and access data beyond the memory buffer. Due to heap corruption, private information could be stolen.

Another Chrome zero-day is fixed by Pwn2Own and Google.


  • Google has corrected another zero-day Chrome vulnerability from the Pwn2Own hacking competition last month.

  • The Chrome V8 JavaScript engine out-of-bounds read vulnerability is the source of the high-severity security flaw known as CVE-2024-3159.
  • By using specially designed HTML websites to access data beyond the memory buffer through heap corruption, remote attackers can take advantage of this issue. They might crash or have access to private information.
  • Security researchers Edouard Bochin and Tao Yan from Palo Alto Networks showed off how to use a zero-day attack to go beyond V8 hardening on the second day of Pwn2Own Vancouver 2024.

Their double-tap exploit, which allowed them to execute arbitrary code on Google Chrome and Microsoft Edge, won them $42,500.

Exploitation of Chrome zero-days during Pwn2Own Vancouver 2024

 
The zero-day has finally been resolved with Google Chrome stable channel versions 123.0.6312.105/.106/.107 (Windows and Mac) and 123.0.6312.105 (Linux). In the coming days, this version will be made available everywhere.

Two more zero-days in Chrome were used during Pwn2Own.

Google was able to resolve Vancouver 2024. The first was a high-severity type confusion vulnerability (CVE-2024-2887) in the Reassembly (Wasm) open standard that affected both Chrome and Edge. Manfred Paul exploited this vulnerability with a double-tap RCE exploit.


Additionally, Seunghyun Lee of the KAIST Hacking Lab gained remote code execution on both Chromium web browsers by exploiting the second, a use-after-free (UAF) vulnerability in the WebCodecs API (CVE-2024-2886).

Mozilla also patched two Firefox zero-days that Manfred Paul had utilised at this year's Pwn2Own Vancouver competition on the same day that the bugs were exploited.

While businesses frequently take their time resolving Pwn2Own zero-days, Google and Mozilla both released security updates in less than a week, and Trend Micro's Zero Day Initiative makes issue data publicly available after 90 days.

Google has patched four Chrome zero-days this year; the fourth, CVE-2024-0519), was fixed in January as an actively exploited zero-day that exploited an out-of-bounds memory access vulnerability in the V8 JavaScript engine to allow attackers to access sensitive data or crash unpatched browsers.

Furthermore, on Tuesday, the company fixed two Android zero-days that were being exploited by forensic firms to unlock Pixel phones without a PIN and extract the data they held.

News sources :Chrome Zero-Day
Tags:

Post a Comment

0 Comments