Google yet another Chrome zero-day, the fourth one this month and the eight so far in 2024.
In a May 23 blog post, Google said the flaw — CVE-2024-5274 — was a type confusion in Chrome’s V8 JavaScript engine that executes JS code.
Type confusions are when attackers modify the type of a given variable to trigger unintended behavior. This can lead to many kinds of bypasses and flaws, such as cross-site scripting, access control bypasses, and denial-of-service attacks.
The bugs were reported on May 20 by Clément Lecigne of Google’s Threat Analysis Group and Brendon Tiszka of Chrome Security. Google also said it’s aware that an exploit for CVE-2024-5274 exists in the wild.
Google Chrome’s widespread use makes it a prime target for attackers given its potential to impact millions globally, pointed out Callie Guenther, senior manager of threat research at Critical Start, and an SC Media columnist.
Guenther said the variety of vulnerabilities, such as type confusion and use-after-free issues, reflects the inherent complexities of modern browsers which often lead to security gaps. Guenther said Google’s rapid response in patching these vulnerabilities shows strong capability in handling security threats, although the change to weekly security updates suggests an increase in either the rate of vulnerability discovery or exploitation attempts.
“Repeated exploitation of similar vulnerabilities indicates that attackers may be focusing on specific components of Chrome’s architecture, which could provide strategic intelligence on threat patterns,” said Guenther. “Despite Google’s efforts, the effectiveness of these patches largely depends on users restarting their browsers to apply updates, underlining the importance of continuous cybersecurity education for users.”
John Bambenek, president at Bambenek Consulting, added that because this flaw is already actively exploited in the wild, we can assume attackers have fully instrumented attacks for remote code execution.
“It certainly seems possible that exploit writers know something about Google Chrome that we don’t, considering the frequency of vulnerabilities lately,” said Bambenek. “Organizations and users should update Chrome and Edge immediately.”
Ted Miracco, chief executive officer at Approov, said being an open-source project, Chrome receives contributions from a global community of developers. This collaborative effort can enhance the security review process, but Miracco said it also means vulnerabilities can be introduced by any contributor.
“While we can’t hold Google solely responsible for every vulnerability in Chrome because of its open-source nature, they do bear significant responsibility as the primary maintainer,” said Miracco. “Google’s accountability involves ensuring robust security practices, promptly addressing vulnerabilities, and maintaining transparent communication with users.”