(Source – Reddit)
New Exploit Poses Serious Threat
Google has urgently released a security update for its Chrome browser to address a zero-day vulnerability, CVE-2024-4761, that has exploit code circulating in the wild. This critical flaw, if exploited, could lead to data theft, malware implantation, and unauthorized lateral movement within systems. The patch, part of Google Chrome’s latest update to version 124.0.6367.207, is the second zero-day vulnerability fixed by Google in the past week and the sixth for the year so far.
The vulnerability stems from a high-severity out-of-bounds write in Google’s V8 JavaScript and WebAssembly engine, which is fundamental to Chromium-based browsers. This flaw allows remote attackers, who have compromised the browser’s renderer process, to potentially escape the browser’s sandbox. This means they could pivot from the browser to other web applications or the network via a specially crafted HTML page.
Malwarebytes explained that the exploit enables attackers to manipulate critical memory parts, allowing them to execute code with elevated permissions. While Google has confirmed the existence of exploit code, it has not observed active exploitation in the wild. Nonetheless, experts like Casey Ellis from Bugcrowd suggest that exploitation is likely imminent given the availability of the exploit.
Recent Patch History and Ongoing Threats
Just four days prior to the CVE-2024-4761 patch, Google addressed another zero-day vulnerability, CVE-2024-4671. This use-after-free (UAF) flaw in Visuals of Google Chrome versions before 124.0.6367.201 was already being exploited in the wild. Similar to CVE-2024-4761, this vulnerability also allowed attackers to perform a sandbox escape via a crafted HTML page. According to Malwarebytes, such vulnerabilities are particularly dangerous because they can be exploited through drive-by attacks, where users are compromised simply by visiting a malicious website.
While both vulnerabilities involve sandbox escapes and renderer process compromises, Google has not disclosed whether they are related. This lack of detail is consistent with Google’s usual policy on vulnerability disclosures.
These vulnerabilities are part of a worrying trend. Earlier in the year, three other significant vulnerabilities were revealed at the Pwn2Own event in March, and another was patched in January. These included type-confusion issues and out-of-bounds memory access bugs, all within Chrome’s V8 engine.
Increasing Zero-Day Exploits and Security Implications
The six zero-day vulnerabilities patched in Chrome so far in 2024 are part of a broader increase in zero-day exploits. In 2023, Mandiant, a Google subsidiary, tracked eight zero-day vulnerabilities in Chrome exploited by threat actors. This represents a significant increase in zero-day exploitation compared to previous years. Mandiant also reported a 50% rise in overall zero-day vulnerabilities exploited in 2023 compared to 2022, with many of these attacks aimed at data theft and cyber-espionage by state-sponsored actors.
Callie Guenther from Critical Start highlighted the intelligence implications of these frequent discoveries, noting that state-sponsored groups could use these vulnerabilities for cyber espionage and targeted attacks. To mitigate these risks, it’s crucial for users to ensure their systems are updated promptly.
Google Chrome typically updates automatically, but users should close and reopen their browser or manually start the update process via the settings menu to ensure they receive the latest patches. Security teams are advised to update all Chrome installations immediately and consider additional measures like browser isolation and sandboxing to enhance protection.
As Casey Ellis pointed out, an emergency patch from Google is a significant alert, emphasizing the urgency of applying updates to protect against potential threats. Users and security teams alike should not delay in applying these critical updates to safeguard their systems.
