Monday, December 23, 2024

Chrome Zero-day Vulnerability (CVE-2024-7971) Actively Exploited in The Wild

Must read

Google has recently addressed a high-severity zero-day vulnerability in its Chrome browser, identified as CVE-2024-7971. This vulnerability involves a type of confusion issue within the V8 JavaScript engine, which can be exploited to execute arbitrary code.

The flaw was reported by the Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) on August 19, 2024, and is known to be actively exploited in the wild.

Google has acknowledged the active exploitation of this vulnerability and has released updates to mitigate the risk to users.

Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot

High Severity Vulnerabilities in Chrome 128

The latest Chrome update, version 128.0.6613.84/.85, addresses a total of 38 security vulnerabilities. Below are the high-severity flaws that were highlighted:

  • CVE-2024-7964: A use-after-free vulnerability in the Passwords component, reported by an anonymous researcher on August 8, 2024. This type of vulnerability can lead to arbitrary code execution or a crash when the program accesses memory that has already been freed.
  • CVE-2024-7965: An inappropriate implementation issue in the V8 JavaScript engine, reported by a researcher known as TheDog on July 30, 2024. This can potentially allow attackers to execute arbitrary code.
  • CVE-2024-7966: An out-of-bounds memory access flaw in the Skia graphics library, reported by Renan Rios on July 25, 2024. This vulnerability can lead to memory corruption, potentially allowing remote code execution.
  • CVE-2024-7967: A heap buffer overflow in the Fonts component, reported by Tashita Software Security on July 27, 2024. Such vulnerabilities can be exploited to execute arbitrary code.
  • CVE-2024-7968: Another use-after-free issue, this time in the Autofill component, was reported by Han Zheng from HexHive on June 25, 2024.
  • CVE-2024-7969: A type confusion vulnerability in the V8 engine, reported by the CFF of Topsec Alpha Team on July 9, 2024.
  • CVE-2024-7971: As mentioned earlier, this type confusion vulnerability in V8 is actively exploited and was reported by Microsoft.

These vulnerabilities are critical as they can allow attackers to execute arbitrary code, potentially leading to data breaches or system compromise.

Google has rolled out updates to mitigate these vulnerabilities and recommends users update their browsers to the latest version to ensure protection against these exploits

These vulnerabilities have been addressed in the latest Chrome version 128.0.6613.84 for Linux and 128.0.6613.84/.85 for Windows and Mac.

Users are strongly advised to update to the latest version of Google Chrome to protect against these vulnerabilities. Chrome updates automatically, but users can manually check for updates by going to Settings > About Chrome.

Additionally, users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi should also apply the latest security updates as they become available.

Chrome Zero-days patched in 2024:

  1. CVE-2024-0519: This vulnerability is an out-of-bounds memory access issue in the V8 JavaScript engine used by Google Chrome. It allows attackers to potentially execute arbitrary code by exploiting this flaw. This vulnerability has been addressed by updating to a newer version of Chrome.
  2. CVE-2024-2887: This is a type confusion vulnerability in the WebAssembly component of Google Chrome. Type confusion can lead to out-of-bounds memory access, which may result in arbitrary code execution. This vulnerability was demonstrated at Pwn2Own 2024 and has been patched in Chrome updates.
  3. CVE-2024-2886: This vulnerability involves a use-after-free condition in the WebCodecs component of Google Chrome. Use-after-free vulnerabilities can lead to arbitrary code execution if exploited. This issue was also demonstrated at Pwn2Own 2024 and has been resolved in subsequent Chrome updates.
  4. CVE-2024-3159: Another out-of-bounds memory access vulnerability in the V8 JavaScript engine of Google Chrome. Like other out-of-bounds vulnerabilities, it can be exploited to execute arbitrary code. It was demonstrated at Pwn2Own 2024 and has been fixed in newer Chrome versions.
  5. CVE-2024-4671: This is a use-after-free vulnerability in the Visuals component of Google Chrome. Exploiting such vulnerabilities can lead to arbitrary code execution. This vulnerability has been patched in recent Chrome updates.
  6. CVE-2024-4947: A type confusion vulnerability in the V8 JavaScript and WebAssembly engine of Google Chrome. This vulnerability has been actively exploited in the wild, prompting urgent updates to Chrome to mitigate the risk.
  7. CVE-2024-5274: This vulnerability is a type confusion bug in the V8 JavaScript and WebAssembly engine of Google Chrome. It allows for out-of-bounds memory access, potentially leading to arbitrary code execution. Google has acknowledged active exploitation of this vulnerability and has issued patches.

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Acces

Latest article