Published on May 28th, 2024
Google has addressed a high-severity vulnerability (CVE-2024-5274) actively exploited in the wild within Chrome.
This flaw, classified as a type confusion bug in the V8 JavaScript and WebAssembly engine, carries significant risk.
Type confusion vulnerabilities allow attackers to access incompatible data types, potentially leading to out-of-bounds memory access, crashes, and even arbitrary code execution on affected machines.
Fourth Chrome Zero-Day Fixed In May 2024
This marks the fourth zero-day vulnerability patched by Google in Chrome this month alone.
Previous fixes addressed CVE-2024-4671, CVE-2024-4761, and CVE-2024-4947.
Google refrained from disclosing technical details surrounding the vulnerability but acknowledged the existence of a working exploit.
It remains unclear if this latest patch addresses a bypass for CVE-2024-4947, another V8 type confusion bug.
This incident highlights the concerning rise of zero-day exploits targeting Chrome.
With eight vulnerabilities patched in the past five months, users are urged to prioritize browser updates to mitigate potential threats.
With the latest fix, Google has resolved a total of eight zero-days in Chrome over the past five months –
- CVE-2024-0519 – Out-of-bounds memory access in V8
- CVE-2024-2886 – Use-after-free in WebCodecs (demonstrated at Pwn2Own 2024)
- CVE-2024-2887 – Type confusion in WebAssembly (demonstrated at Pwn2Own 2024)
- CVE-2024-3159 – Out-of-bounds memory access in V8 (demonstrated at Pwn2Own 2024)
- CVE-2024-4671 – Use-after-free in Visuals
- CVE-2024-4761 – Out-of-bounds write in V8
- CVE-2024-4947 – Type confusion in V8
How To Stay Secure
- Update Chrome to version 125.0.6422.112/.113 (Windows/macOS) or 125.0.6422.112 (Linux).
- Users of Chromium-based browsers like Microsoft Edge, Brave, Opera, and Vivaldi should also apply updates when available.
- Stay informed about the latest security threats by following reputable cybersecurity news sources.
The majority of Chrome users likely have automatic updates enabled, which is crucial, especially for security patches like these. However, relying solely on automatic updates isn’t sufficient. It’s advisable to manually close and restart Chrome to confirm that the update has been fully applied.
Considering the concerning situation of encountering three zero-day vulnerabilities within a span of six days, and the complexities involved in deploying numerous software updates across various systems in such a short timeframe, it’s prudent to take action today by manually restarting Chrome. Hopefully, this marks the conclusion of a challenging week for the browser.
Even if you believe the updates have been successfully installed, manually restarting provides an extra layer of assurance.
Frequently Asked Questions (FAQs)
1. What are zero-day exploits?
Zero-day exploits are vulnerabilities unknown to software vendors and for which no patch exists. Attackers can exploit these vulnerabilities to gain unauthorized access to systems.
2. How can I tell if my Chrome browser is updated?
Click the three vertical dots in the top right corner of Chrome. Select “Settings” followed by “About Chrome.” Your current version will be displayed. If an update is available, it will download and install automatically upon relaunch.
3. Where can I find more information about this vulnerability?
While technical details are limited, you can find the official Google Chrome security advisory https://security.googleblog.com/2023/08/an-update-on-chrome-security-updates.html for more general information.
