Chrome zero day
Google patched a major Chrome security problem. Google corrected this Chrome zero day vulnerability five times this year, highlighting its ongoing fight against online threats.
Here’s a brief summary:
- Vulnerability Type: Chrome zero day (CVE-2024-4671), a “use-after-free” vulnerability in the Visuals component of Chrome (which shows content).
- Severity: High; may cause browser crashes, code execution, and data leaks.
- Yes, attackers exploited this vulnerability.
- Install the latest Chrome browser for safety. Google Chrome usually updates automatically, but you can check settings manually.
The latest Chrome zero day vulnerability
- This is Google’s fifth 2024 patch.
- This significant security vulnerability allows an attacker to take control of your browser, run malicious code, or steal data.
- The vulnerability is in Chrome’s “Visuals” component, which displays content.
- Google is aware of exploit-based assaults occurring in the wild.
- To protect yourself, it’s critical that you update Chrome to the most recent version (124.0.6367.201/.202 for Mac and Windows, 124.0.6367.201 for Linux) as soon as you can.
- Although it isn’t stated clearly in the material I found, the Chrome update that fixed the fifth Chrome zero day vulnerability this year was released quite recently, according to news reports.
- May 10, 2024 is the date on which articles addressing the upgrade are dated, suggesting that the release happened on or around that day.
Chrome zero day vulnerability
Indeed, the following is what it know about the fifth zero-day vulnerability in Chrome that Google has patched:
Potential vulnerability: “Use-after-free”. Attackers can exploit software that doesn’t properly free memory.
Component: “Visuals” component in Chrome. This section of Chrome controls how your browser displays material.
High severity, with a rating of 8.8 out of 10. This suggests a major vulnerability that might be used for malicious activities.
Exploitation: In the wild, actively exploited. This indicates that before the patch was made available, attackers were already utilizing this vulnerability to conduct attacks.
Status of the Patch: Versions 124.0.6367.201/.202 (Mac & Windows) and 124.0.6367.201 (Linux) of Chrome have been patched.
Suggestions:
- As soon as you can, update Chrome to the most recent version. Although Chrome usually updates itself, you may manually check for updates by going to Settings > About Chrome.
- Make sure you follow reliable security news sources to stay informed about upcoming vulnerabilities.
Google Chrome zero day 2024
According to sources, Google fixed Chrome’s fifth zero day vulnerability this year (2024). What is known as follows:
- Frequency: Google has patched this sixth zero day issue in 2024, demonstrating the continuous fight against such dangers.
- Severity: Because of its high-severity classification, attackers may be able to use it to steal your data, execute malicious software, or cause your browser to crash.
- Technical information The “Visuals” component in Chrome, which controls how content is shown on your screen, is specifically flawed.
- The use of this vulnerability “in the wild” by attackers has been verified by Google prior to the patch.
Chrome zero day most recent version
It is essential that you update Chrome to the most recent version for your protection:
- 124.0.6367.201/.202 for Windows and Mac
- Linux: 124.0.6367.201 (likely to be updated in the next several days)
- To manually check for updates, navigate to Settings > About Chrome, even though Chrome updates automatically most of the time.
Chrome zero day vulnerabilities
Chrome zero day vulnerabilities have been fixed as follows:
- CVE-2024-0519: A high-severity out-of-bounds memory access vulnerability in Chrome V8’s JavaScript engine that allows remote attackers to leverage heap corruption through a carefully crafted HTML page to obtain confidential data.
- High-severity WebAssembly (Wasm) confusion bug CVE-2024-2887. Malicious HTML webpages can launch RCE attacks.
Web programmes use the WebCodecs API to encode and decode audio and video, which has a use-after-free vulnerability CVE-2024-2886. Attackers could execute code remotely using specially crafted HTML sites.
High-severity Chrome V8 JavaScript engine out-of-bounds read vulnerability CVE-2024-3159. Remote attackers exploited this vulnerability by carefully designing HTML sites to access data outside the memory buffer. This caused heap corruption, which may steal confidential data.
Pwn2Own, Google fixes another Chrome zero-day
Another Chrome zero day vulnerability from last month’s Pwn2Own hacking competition been updated by Google.
- CVE-2024-3159 is a high-severity security vulnerability caused by Chrome V8 JavaScript engine out-of-bounds read.
- Remote attackers can exploit this vulnerability by using specially built HTML sites to access data beyond the memory buffer using heap corruption. They may gain access to confidential data or crash.
- On the second day of Pwn2Own Vancouver 2024, security researchers Edouard Bochin and Tao Yan from Palo Alto Networks demonstrated how to circumvent V8 hardening using a zero-day exploit.
They were awarded $42,500 for their double-tap attack, which gave them the ability to run arbitrary code on Microsoft Edge and Google Chrome.
Chrome zero-days exploited at Pwn2Own Vancouver 2024
With Google Chrome stable channel version 123.0.6312.105/.106/.107 (Windows and Mac) and 123.0.6312.105 (Linux), the zero-day has finally been solved. This version will be released globally in the next days.
Two more Chrome zero day that were exploited at Pwn2Own Vancouver 2024 were resolved by Google. A double-tap RCE exploit by Manfred Paul targeted the first, a high-severity type confusion vulnerability (CVE-2024-2887) in the Reassembly (Wasm) open standard, affecting both Chrome and Edge.
Seunghyun Lee of the KAIST Hacking Lab additionally used the second, a use-after-free (UAF) vulnerability in the WebCodecs API (CVE-2024-2886), to obtain remote code execution on both Chromium web browsers.
On the same day that the bugs were exploited, Mozilla also patched two Firefox zero-days that Manfred Paul had used at this year’s Pwn2Own Vancouver competition.
While companies often take their time fixing Pwn2Own zero days, as Trend Micro’s Zero Day Initiative publicly exposes bug details after 90 days, Google and Mozilla both delivered security patches within a week.
Four Chrome zero-days have been patched by Google this year; the fourth was fixed in January as an actively exploited zero day (CVE-2024-0519) that allowed attackers to access sensitive data or crash unpatched browsers by taking advantage of an out-of-bounds memory access vulnerability in the V8 JavaScript engine.
Additionally, the business patched two Android zero days on Tuesday that were being used by forensic companies to unlock Pixel phones without a PIN and retrieve the data they contained.
