Security updates have been released by Google to address the initial zero-day vulnerability in Chrome, which has been exploited in the wild since the beginning of the year. According to a security advisory published on Tuesday, Google acknowledges the existence of an exploit for CVE-2024-0519.
The company swiftly addressed the zero-day vulnerability for users in the Stable Desktop channel, releasing patched versions globally for Windows (120.0.6099.224/225), Mac (120.0.6099.234), and Linux (120.0.6099.224) within a week of reporting to Google.
While the security update may take some time to reach all affected users, it was promptly available when BleepingComputer checked for updates today. Users who prefer not to update manually can rely on Chrome to automatically check and install updates after the next launch.
The high-severity zero-day vulnerability (CVE-2024-0519) results from a significant out-of-bounds memory access flaw in the Chrome V8 JavaScript engine. Attackers can leverage this vulnerability to access data beyond the memory buffer, potentially gaining unauthorized access to sensitive information or causing a system crash.
According to MITRE, the potential issue arises from the expected sentinel not being found in the out-of-bounds memory, resulting in the excessive reading of data. This situation can lead to either a segmentation fault or a buffer overflow. MITRE further explains that the product might alter an index or engage in pointer arithmetic, referencing a memory location beyond the buffer boundaries. Subsequent read operations under these circumstances may yield undefined or unexpected results.
In addition to unauthorized access to out-of-bounds memory, CVE-2024-0519 could potentially be exploited to circumvent protection mechanisms like ASLR, facilitating easier code execution through another vulnerability.
Although Google is aware of zero-day exploits utilizing CVE-2024-0519 in attacks, the company has not disclosed further details about these incidents. Google explains that access to bug details and links may be restricted until a significant number of users receive the fix. Restrictions may also be maintained if the bug is present in a third-party library relied upon by other projects that have not yet implemented a fix.
Today, Google addressed V8 out-of-bounds write (CVE-2024-0517) and type confusion (CVE-2024-0518) vulnerabilities, both posing a risk of arbitrary code execution on compromised devices.
In the previous year, Google successfully resolved eight zero-day bugs in Chrome that were exploited in attacks, identified as CVE-2023-7024, CVE-2023-6345, CVE-2023-5217, CVE-2023-4863, CVE-2023-3079, CVE-2023-4762, CVE-2023-2136, and CVE-2023-2033.
Some, like CVE-2023-4762, were classified as zero-days used to deploy spyware on vulnerable devices of high-risk individuals, including journalists, opposition politicians, and dissidents, weeks after Google released patches.
tags :
news