Updated August 28 with U.S. government issuing a second update warning.
Here we are again. For the second time in three months, the U.S. government has warned that the world’s most popular browser is known to be under attack. Federal employees have just 21-days to update their browsers or stop using them completely. Given Chrome’s two-billion-plus desktop users, that’s a big deal and should really apply to all users. There’s also a new, nasty sting in the tail that has just come out.
According to the U.S. cybersecurity agency, CVE-2024-7971 “contains a type confusion vulnerability that allows a remote attacker to exploit heap corruption via a crafted HTML page.” This means an attacker can force a logical memory error to destabilize a system, opening the door to an attack. As ever, don’t think of these vulnerabilities in isolation, think of them being used in combination with others.
The nasty surprise is that Google has suddenly added a second attack warning to last week’s advisory. The company updated its August 26 notice “to reflect the in the wild exploitation of CVE-2024-7965 which was reported after this release.” This additional exploited vulnerability is listed as an “inappropriate implementation in V8,” meaning the potential for an attack to achieve out of bounds (unexpected) memory access, again with a maliciously crafted webpage.
CISA has just issued a second update warning relating to CVE-2024-7965, “based on evidence of active exploitation,” advising that this “inappropriate implementation vulnerability allows a remote attacker to potentially exploit heap corruption via a crafted HTML page,” adding that “these types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.”
This second warning carries a mandate for all federal employees to update by September 18 or stop using Chrome. It means there are now two active CISA warnings in place—this really is a case of “update now.”
While the first vulnerability was discovered and disclosed by Microsoft, the second was “first discovered by the security researcher known as ‘TheDog’ on July 30, 2024,” as Cyble’s threat intelligence team explains. “With a CVSS score of 8.8, it poses a serious threat to the confidentiality and integrity of affected systems.”
Cyble adds that “exploitation of CVE-2024-7965 requires user interaction, such as visiting a compromised webpage, which could lead to unauthorized access or execution of malicious code. Therefore, both organizations and individual users are strongly urged to update their browsers to safeguard against potential data breaches and other cybersecurity risks.”
While Chrome will grab the headlines given that it dominates the desktop market with 2-billion-plus users, CISA also advises that both Chromium vulnerabilities “could affect multiple web browsers, including “Google Chrome, Microsoft Edge, and Opera.” If you’re using any Chromium browser, the warning applies to you.
CISA took more time adding the first known exploit to its KEV catalog than expected. It came almost a week after Google warned that “exploits for CVE-2024-7971 exist in the wild,” updating the stable desktop channel to 128.0.6613.84/.85 for Windows and Macs. I had expected this to be added sooner.
The second warning was much faster, and was issued within 48-hours.
It is now mandatory for all federal employees to “apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.” which means update or stop using. And the cutoff date is the usual 21-days from. release, which is September 16 and September 18 respectively.
This has been a busy month for such warnings, with multiple Windows zero-days and an Android zero-day all coming within a small number of weeks. And while CISA’s formal mandate only applies to federal government employees, many other organizations do—and all should—follow the same guidance. As CISA itself says, the purpose of the catalog and these deadlines is “to help every organization better manage vulnerabilities and keep pace with threat activity.”
All such Chrome zero-days successfully exploit various types of memory vulnerabilities, but the good news is that Google is working on a broader set of defenses to stop this happening quite so frequently.
Updating your browser to the latest stable release will patch both zero-days and multiple of other bugs, several of which are high-severity, even if they have not yet been exploited in the wild—as far as we know. The update should download automatically but restart your browser once that’s done to ensure it installs.
With two zero-days in this latest update—and the potential for more to come, you should follow CISA’s timeline whether you’re a work or home user. We’re don’t yet know the extent of the ongoing attacks, but such exploits have a habit of getting out more widely, especially in the time between updates being released and applied.
As Cyble warns, “CVE-2024-7965 represents a significant security risk for Google Chrome and other Chromium-based browsers. With a high CVSS score of 8.8, this type of confusion flaw in the V8 JavaScript engine can lead to severe consequences if exploited. Given that this vulnerability is actively being targeted, users must promptly update their browsers to the latest version. Google’s recent update addresses this critical issue along with 37 other security fixes, highlighting the importance of staying current with software updates to protect against potential threats.”
Parallel CISA mandates are another theme for this month, with the same being seen with Microsoft’s last Patch Tuesday. Let’s hope none of the other 30+ vulnerabilities addressed in Chrome’s last update prompt further attack warnings.
Watch this space…