Google fixes fifth Chrome zero-day exploited in attacks this year | NewPush Blog

Google has released an emergency security update to address a critical vulnerability (CVE-2024-4671) discovered in its Chrome browser. This marks the fifth zero-day exploit found and patched in Chrome this year, highlighting the persistent threat landscape facing web users.

CVE-2024-4671: A Deep Dive into the Vulnerability

The vulnerability resides in Chrome's Skia rendering engine, a critical component responsible for visual content display. Exploiting this flaw could allow attackers to execute arbitrary code on a user's device, potentially leading to data breaches, malware installation, and complete system compromise.

Active Attacks Confirmed: Updates Essential for Protection

Disturbingly, Google has confirmed that CVE-2024-4671 is actively being exploited in the wild. This emphasizes the urgency for all Chrome users to update their browsers immediately. Google has released updated versions for various operating systems:

Windows and Mac: Version 124.0.6367.201/.202
Linux: Version 124.0.6367.201 These updates will roll out automatically over the coming days and weeks. However, users are strongly encouraged to proactively check for updates by navigating to Chrome's settings menu (three vertical dots in the upper right corner) > "About Google Chrome." > Click on the ‘Relaunch’ button to apply it.

The discovery of CVE-2024-4671 underscores a concerning trend of zero-day vulnerabilities in Chrome this year. Three such exploits were identified during the Pwn2Own hacking contest in March, a testament to the growing sophistication of cybercriminals.

**Overview of Key Chrome Vulnerabilities Addressed in 2024: **

CVE-2024-0519 (January): This high-severity vulnerability targeted Chrome's V8 JavaScript engine. An out-of-bounds memory access weakness could allow remote attackers to trigger heap corruption via a malicious HTML page, potentially leading to the disclosure of sensitive information.
CVE-2024-2887 (March): This high-severity flaw involved type confusion within the WebAssembly (Wasm) standard, which is used for performance-critical web applications. Attackers could exploit this vulnerability to achieve remote code execution (RCE) by tricking a user into accessing a specially crafted HTML page.
CVE-2024-2886 (March): This use-after-free vulnerability affected the WebCodecs API, which web applications utilize for audio and video encoding and decoding. Remote attackers could exploit this flaw via malicious HTML pages, enabling them to perform unauthorized memory reads and writes, ultimately leading to remote code execution.
CVE-2024-3159 (April): Another high-severity vulnerability in the Chrome V8 JavaScript engine, this flaw involved an out-of-bounds read vulnerability. Remote attackers could exploit this by using malicious HTML pages, allowing them to access data beyond allocated memory buffers. This could lead to heap corruption, potentially enabling the extraction of sensitive information. Strengthening Your Defenses: Beyond Browser Updates

While updating your browser is crucial, a multi-layered security approach is essential for comprehensive protection. Consider the following:

Use a reputable antivirus/anti-malware solution: This can help detect and neutralize threats that may attempt to exploit vulnerabilities.
Exercise caution with suspicious links and attachments: Avoid clicking on links or downloading attachments from untrusted sources, as they may lead to malicious websites or malware downloads.
Enable two-factor authentication (2FA) whenever possible: 2FA adds an extra layer of security to your online accounts by requiring a second form of verification, such as a code sent to your phone, in addition to your password.
Stay informed about cybersecurity threats: Keep up-to-date on emerging vulnerabilities and attack techniques to better understand the risks and take appropriate preventative measures. By prioritizing cybersecurity awareness and best practices, we can collectively work towards a safer online environment.

Bleeping Computer 05/10/2024

CVE-2024-4671: A Deep Dive into the Vulnerability

Active Attacks Confirmed: Updates Essential for Protection

Windows and Mac: Version 124.0.6367.201/.202
Linux: Version 124.0.6367.201 These updates will roll out automatically over the coming days and weeks. However, users are strongly encouraged to proactively check for updates by navigating to Chrome's settings menu (three vertical dots in the upper right corner) > "About Google Chrome." > Click on the ‘Relaunch’ button to apply it.

**Overview of Key Chrome Vulnerabilities Addressed in 2024: **

CVE-2024-0519 (January): This high-severity vulnerability targeted Chrome's V8 JavaScript engine. An out-of-bounds memory access weakness could allow remote attackers to trigger heap corruption via a malicious HTML page, potentially leading to the disclosure of sensitive information.
CVE-2024-2887 (March): This high-severity flaw involved type confusion within the WebAssembly (Wasm) standard, which is used for performance-critical web applications. Attackers could exploit this vulnerability to achieve remote code execution (RCE) by tricking a user into accessing a specially crafted HTML page.
CVE-2024-2886 (March): This use-after-free vulnerability affected the WebCodecs API, which web applications utilize for audio and video encoding and decoding. Remote attackers could exploit this flaw via malicious HTML pages, enabling them to perform unauthorized memory reads and writes, ultimately leading to remote code execution.
CVE-2024-3159 (April): Another high-severity vulnerability in the Chrome V8 JavaScript engine, this flaw involved an out-of-bounds read vulnerability. Remote attackers could exploit this by using malicious HTML pages, allowing them to access data beyond allocated memory buffers. This could lead to heap corruption, potentially enabling the extraction of sensitive information. Strengthening Your Defenses: Beyond Browser Updates

While updating your browser is crucial, a multi-layered security approach is essential for comprehensive protection. Consider the following:

Use a reputable antivirus/anti-malware solution: This can help detect and neutralize threats that may attempt to exploit vulnerabilities.
Exercise caution with suspicious links and attachments: Avoid clicking on links or downloading attachments from untrusted sources, as they may lead to malicious websites or malware downloads.
Enable two-factor authentication (2FA) whenever possible: 2FA adds an extra layer of security to your online accounts by requiring a second form of verification, such as a code sent to your phone, in addition to your password.
Stay informed about cybersecurity threats: Keep up-to-date on emerging vulnerabilities and attack techniques to better understand the risks and take appropriate preventative measures. By prioritizing cybersecurity awareness and best practices, we can collectively work towards a safer online environment.

Bleeping Computer 05/10/2024

Security Check