Google addresses the first active 2024 Chrome zero-day exploit.

A quick update on Chrome’s 2024 first major zero-day vulnerability which seems to been addressed, or has it?

To address the first Chrome zero-day vulnerability that has been used in the wild since the year’s beginning, Google has published security fixes.

In a security alert released on Tuesday, Google stated, “Google is aware of reports that an exploit for CVE-2024–0519 exists in the wild.”

After being reported to Google, the company fixed the zero-day for users in the Stable Desktop channel, and less than a week later, patched versions were made available to Windows (120.0.6099.224/225), Mac (120.0.6099.234), and Linux (120.0.6099.224) users worldwide.

The security fix was instantly accessible when BleepingComputer checked for updates today, despite Google’s statement that it might take days or weeks to reach all impacted users.

Chrome can be configured to automatically check for updates and install them after the next launch for users who would rather not to update their browser manually.

Attackers can use the high-severity out-of-bounds memory access vulnerability in the Chrome V8 JavaScript engine to access data beyond the memory buffer, giving them access to confidential information or causing a crash. This vulnerability is the cause of the high-severity zero-day vulnerability (CVE-2024–0519).

“The expected sentinel might not be located in the out-of-bounds memory, causing excessive data to be read, leading to a segmentation fault or a buffer overflow,” says MITRE. The programme has the ability to alter an index or execute pointer arithmetic that points to a memory address outside the buffer’s bounds. The results of a subsequent read operation are then unclear or unexpected.”

In addition to granting unauthorised access to out-of-bounds memory, CVE-2024–0519 has the potential to circumvent security measures like ASLR, thereby simplifying the process of executing code through an additional vulnerability.

“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Google stated. “We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.”

Additionally, Google patched two vulnerabilities today: V8 out-of-bounds write (CVE-2024–0517) and type confusion (CVE-2024–0518), which on compromised devices allow for arbitrary code execution.

Google resolved eight Chrome zero-day issues exploited in attacks last year, identified as CVE-2023–7024, CVE-2023–6345, CVE-2023–5217, CVE-2023–4863, CVE-2023–3079, CVE-2023–4762, CVE-2023–2136, and CVE-2023–2033.

Some of these, such as CVE-2023–4762, were identified as zero-day exploits used to install spyware on vulnerable devices belonging to high-risk users, such as journalists, opposition politicians, and dissidents, some weeks after the business published updates.

Although Google is aware of the use of CVE-2024 – 0519 zero-day exploits in attacks, the corporation has not released any additional information about these occurrences.

References:

Arntz, P. (2024, January 18). Update Chrome! Google patches actively exploited zero-day vulnerability. Malwarebytes. https://www.malwarebytes.com/blog/news/2024/01/update-chrome-google-patches-actively-exploited-zero-day-vulnerability

‌ Google fixes first actively exploited Chrome zero-day of 2024. (n.d.). Www.bleepingcomputer.com. Retrieved January 18, 2024, from https://www.bleepingcomputer.com/news/security/google-fixes-first-actively-exploited-chrome-zero-day-of-2024/amp/

N, B. (2024, January 17). Google Chrome Browser Zero-Day Vulnerability Exploited in Wild. Cyber Security News. https://cybersecuritynews.com/google-chrome-browser-zero-day-vulnerability/amp/