In response to the recent wave of zero-day vulnerabilities, Google has rolled out a new Chrome update aimed at addressing a critical flaw classified as CVE-2024-5274. This vulnerability, which represents the fourth zero-day security issue discovered in the past two weeks and the eighth overall in 2024, is rooted in a type confusion weakness within the Chrome V8 JavaScript and WebAssembly engine.
According to an advisory issued by Google, the company is aware that an exploit for CVE-2024-5274 is already being circulated in the wild. While Google has refrained from sharing specific details regarding the bug or its exploitation, credit has been given to Clement Lecigne of Google’s Threat Analysis Group (TAG) and Brendon Tiszka of Chrome Security for reporting the flaw. Notably, no bug bounty reward has been disclosed for this discovery.
The potential impact of exploiting this vulnerability is severe, as it could pave the way for arbitrary code execution within the context of the logged-on user. The Center for Internet Security elaborated on the potential consequences, highlighting that depending on the user’s privileges, an attacker could carry out activities such as installing programs, modifying data, or creating new accounts with full user rights. Users with restricted system privileges may face a lower impact compared to those operating with administrative rights.
Historically, Chrome vulnerabilities have been enticing targets for commercial spyware vendors. Google TAG researchers have previously identified and reported several zero-day vulnerabilities that were exploited by spyware vendors, underscoring the critical need for prompt patching and mitigation efforts.
CVE-2024-5274 marks the fourth zero-day flaw addressed by Google within a mere 15-day timeframe, following the resolution of CVE-2024-4671, CVE-2024-4761, and CVE-2024-4947. In total, Google has tackled eight zero-day vulnerabilities this year, with three of them—CVE-2024-2886, CVE-2024-2887, and CVE-2024-3159—being showcased at the Pwn2Own Vancouver 2024 hacking contest.
The newly released Chrome version, designated as 125.0.6422.112 for Linux and 125.0.6422.112/.113 for Windows and macOS, includes critical security fixes to address the identified vulnerabilities. Similarly, Chrome for Android has been updated to versions 125.0.6422.112/.113 to ensure a consistent security posture across all platforms.
Moreover, Opera, which shares the Chromium engine with Google Chrome, has promptly rolled out an update to rectify the CVE-2024-5274 zero-day vulnerability. The latest stable release of Opera, version 110.0.5130.39, incorporates essential security enhancements to safeguard users while browsing.
As the cybersecurity landscape continues to evolve, proactive measures such as timely patching and software updates are crucial to mitigating risks posed by zero-day vulnerabilities. Users are advised to remain vigilant and prioritize security best practices to defend against potential cyber threats.
The Cyber Express emphasizes the importance of critical information dissemination and user awareness, disclaiming any liability for the accuracy or consequences arising from reliance on the provided information. Stay informed and stay secure in today’s digital age.