3rd Google Chrome Update Due to Attacks

Google has issued another crucial warning—the third in just a few days—as another active threat is uncovered

Google has released an additional critical update, which brings the Stable channel of Chrome for Mac and Windows to version 124.0.6367.207/.208, in response to the anonymous complaint and patching of another zero-day vulnerability. Like the previous week, users are cautioned that “Google is cognizant of the existence of an exploit for CVE-2024-4761 in the wild.”

The Chrome V8 JavaScript and WebAssembly engine is susceptible to this vulnerability, which allows “a remote attacker to execute an out-of-bounds memory write through the manipulation of an HTML page.” The severity of the threat is rated as “high,” but users must update and relaunch immediately because it has been exploited.

An “out-of-bounds” write error occurs when maliciously crafted software gains unauthorized access to the memory of a device, which can lead to unanticipated instability issues, program or device crashes, or even the execution of additional malicious code. Memory issues of this nature are a recurring concern regarding vulnerabilities in Chrome.

This day marks the sixth occurrence of a zero-day this year.

As usual, no additional information has been disclosed; users are encouraged to update. “Access to information regarding bugs and links may be restricted until most users have been notified of a fix.”

Similar to the previous week, disseminating warnings and issuing an emergency release through multiple media channels should alert the two billion desktop users to update manually, verify that the automatic update has been applied, or restart the browser.

Despite the persistent monitoring concerns that have long impeded its ability to strike a balance between user privacy and marketing objectives, Chrome remains an exceptional web browser. However, due to its widespread presence, particularly among Windows users, it serves as a formidable target for developing exploits.

Update 5/16: As if more than two zero-day emergency updates within a week were insufficiently needed, the third has arrived. Moreover, although Google has encountered Chrome security vulnerabilities occasionally, the current situation is beginning to resemble one that is considerably more difficult to manage.

Nine security fixes were verified in the company’s advisory dated May 15, while the two emergency updates released within the past week have only addressed a single issue. Updates have been made to the stable channel to 125.0.6422.60 (Linux) and 125.0.6422.60/.61 (Windows and Mac).

Google states it is “aware that an exploit for CVE-2024-4947 exists in the wild” as one of the nine patches.

This is a critical “type confusion” vulnerability in the underlying Chrome engine. This affects memory like the vast majority of zero days in Chrome. Typically, a crafted HTML page could cause the system to fail or provide access to a second exploit.

The two major issues that external researchers have identified and highlighted in Google’s advisory are as follows:

High priority, CVE-2024-4947: V8 Type Confusion. As reported on 2024-05-13 by Vasily Berdnikov (@vaber_b) and Boris Larin (@oct0xor) of Kaspersky.

Utilize high CVE-2024-4948, following no cost in Dawn. As reported by wgslfuzz on April 9, 2024.

The remaining two vulnerabilities identified externally posed a lesser threat: Medium, CVE-2024-4949: Utilize in V8 after no cost. As reported on 2024-02-24 by Ganjiang Zhou (@refrain_areu) of the ChaMd5-H1 team.

Downloads contain an inappropriate implementation (CVE-2024-4950, low). According to Shaheen Fazim’s report from March 6, 2023:06.

Internally, the remaining issues were identified. “As usual, various fixes were implemented due to our ongoing internal security efforts, which included fuzzing, internal audits, and other initiatives.”

Google claims to have disbursed $8,000 for low-risk vulnerabilities but has yet to reveal the amount paid for the most critical ones. “We would like to extend our gratitude to all security researchers who collaborated with us throughout the development process to ensure that no security vulnerabilities ever made their way into the stable channel,” the statement continued.

Chrome should automatically implement these updates; however, users may verify that the software is up-to-date by accessing the Help/About Google Chrome page. Additionally, it is prudent to completely shut down and relaunch the browser to ensure that no known latent issues persist.

Revision 5/15: Even though it is unsettling that there have been three emergency updates in a week and that tracking cookies are still not being deleted, Google seems determined to make Chrome safer with projects like the V8 sandbox, which fixes common memory problems, and the smart new Device Bound Session Credentials (DBSC) method, which stops session cookie theft.

This week at Google I/O, the confirmation that the company’s Gemini AI is being integrated into Chrome—making this one of its most significant bets—expressed precisely why this is all so crucial. Nano will also be implemented in the update for on-device generative AI tasks, such as assisting users with text creation.

“Google also announced that Gemini will be integrated into Chrome DevTools, which application developers use to debug and optimize their programs,” The Verge reports. Gemini can offer clarifications regarding error messages and propose resolutions for coding complications.

Developers were informed at the event by Chrome’s product director, Jon Dahlke, “This is a significant shift for the web, and we want to get it right.”

The vast universe of AI will transform the web experience for billions, including search, creation, and perusing. And with Chrome already facing six zero days this year, this “big shift for the web” will present Google with significant security challenges that it must resolve.

The security sector will soon learn how the AI-powered threat landscape changes; however, its understanding is currently limited. Regardless, the repercussions for users and the software they employ will be enormous.