Google has recently rolled out an emergency security update for its Chrome browser, addressing a zero-day vulnerability that has had exploit code released in the wild. This vulnerability poses a serious threat as it could potentially lead to data theft, malware implantation, lateral movement, and more.
This latest security patch, available in version 124.0.6367.207 of the Chrome browser, specifically targets CVE-2024-4761, which is a high-severity out-of-bounds write issue in Google’s open-source V8 JavaScript and WebAssembly engine. This vulnerability also affects Chromium browsers. With this exploit, a remote attacker who has compromised the renderer process could execute a sandbox escape, allowing them to move beyond the browser tab to pivot to other web applications or the network by using a crafted HTML page.
According to security experts at Malwarebytes, this exploit allows attackers to manipulate memory allocated to critical functions, enabling them to write code to a part of the memory where it will be executed with permissions that the program and user should not have.
While Google has acknowledged the existence of exploit code for this vulnerability, they have not confirmed active exploitation. However, experts like Casey Ellis from Bugcrowd have expressed concerns that exploitation is likely imminent given the availability of exploit code in the wild.
This is the second zero-day vulnerability that Google has addressed in the past week and the sixth zero-day for the year so far. Just four days prior to this update, Google patched another zero-day vulnerability, CVE-2024-4671, which was being actively exploited. This flaw, a use-after-free (UAF) issue in Visuals in Google Chrome, also allowed a remote attacker who compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.
It is essential for users to update their Chrome browser to the latest version to ensure protection against these vulnerabilities. Chrome typically updates automatically, but users can manually trigger the update by clicking on “settings” and then “about Chrome.” Security teams should also ensure that all Chrome installations within their organization are promptly updated.
The prevalence of zero-day vulnerabilities in Chrome has raised serious security concerns, as threat actors, including state-sponsored groups, can exploit these vulnerabilities for cyber espionage, data theft, and targeted attacks. To mitigate the risk of data breaches, implementing additional security measures such as browser isolation and sandboxing is recommended.
In conclusion, staying vigilant about software updates and security protocols is critical in today’s cyber threat landscape. By promptly applying security patches and adopting best practices for cybersecurity, individuals and organizations can safeguard against potential exploits and data breaches.