Google has released an update to fix a zero-day vulnerability in its Chrome browser. The bug, designated CVE-2024-4671, is a user-after-free (UAF) vulnerability in Chrome’s Visuals component, which is responsible for rendering and displaying content within the browser.
UAF flaws occur when an application continues to use a pointer after the memory it points to has been released upon completion of its legitimate operation. Since the released memory could now contain different data or be used by other resources, accessing it could result in data leakage, code execution, or denial of service conditions.
Identify, measure, and reduce your risk with a personalized attack surface report.
Our automated attack surface reports detect end-of-life software and operating systems, exposed devices and services, third-party risks & more.
Try it free
While Google hasn’t provided much information on CVE-2024-4671 and how it can be leveraged by threat actors, the company has admitted that an exploit does exist in the wild. It is advising all users of affected versions of Chrome to update to the latest fixed versions, 124.0.6367.201/.202 for Mac/Windows and 124.0.6367.201 for Linux, which will be available in the coming days/weeks.
Source: Bleeping Computer
Analysis
Google’s reluctance to provide detailed information on CVE-2024-4671 is likely a deliberate attempt to buy time for its users to patch their affected browsers before threat actors can take advantage of it. The more detail Google provides, the easier it is for threat actors to develop and deploy exploits. Chrome is used by millions of users worldwide; thus, it represents a large attack footprint for threat actors. It’s therefore critical that users patch Chrome as soon as possible.
CVE-2024-4671 marks the fifth zero-day vulnerability found in Chrome in 2024. In March 2024, Google released updates to address several vulnerabilities found in Chrome during the “Pwn2Own” hacking competition held in Vancouver, Canada. These vulnerabilities included CVE-2024-2887, a high-severity type confusion weakness in the WebAssembly (Wasm) open standard, and CVE-2024-2886, another UAF weakness in the WebCodecs API that could allow remote attackers to arbitrarily conduct read and write functions via specially crafted HTML pages.
Mitigation
Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in browsers such as Chrome. This research contributes to the timely deployment of signatures into Field Effect MDR to detect and mitigate the exploitation of these vulnerabilities. Field Effect MDR users will be automatically notified if a vulnerable version of Chrome is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
Field Effect strongly encourages users of the affected Chrome versions to update to the latest version as soon as possible, in accordance with Google’s advisory.
Related Articles
