Chrome Fixes Fourth Zero-Day In Two Weeks, Eighth This Year


Google released a new Chrome update on Thursday to fix the fourth zero-day vulnerability in two weeks and eighth overall in 2024.

The high-severity flaw, tracked as CVE-2024-5274, is rooted in a type confusion weakness within the Chrome V8 JavaScript and WebAssembly engine.

“Google is aware that an exploit for CVE-2024-5274 exists in the wild,” the company said in an advisory.

Google did not provide details on the bug or the exploitation but credited Clement Lecigne of Google’s Threat Analysis Group (TAG) and Brendon Tiszka of Chrome Security for reporting the flaw. There is no knowledge of any bug bounty reward for this discovery.

“Successful exploitation of this vulnerability could allow for arbitrary code execution in the context of the logged on user,” the Center for Internet Security explained. Depending on the privileges associated with the logged on user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have less rights on the system could be less impacted than those who operate with administrative user rights.”

Chrome vulnerabilities are often targeted by commercial spyware vendors. Google TAG researchers have previously reported several zero-days exploited by spyware vendors, including security defects in Google’s browser.

CVE-2024-5274 is the fourth zero-day patched in the last 15 days, following CVE-2024-4671 (use-after-free in Visuals), CVE-2024-4761 (out-of-bounds write in V8), and CVE-2024-4947 (type confusion in V8).

So far this year, Google has resolved a total of eight Chrome zero-days. Three of these, CVE-2024-2886, CVE-2024-2887, and CVE-2024-3159, were demonstrated at the Pwn2Own Vancouver 2024 hacking contest in March.

Complete list of zero-days published in 2024:

  • CVE-2024-0519: Out-of-bounds memory access in V8
  • CVE-2024-2886: Use-after-free in WebCodecs (presented at Pwn2Own 2024)
  • CVE-2024-2887: Type confusion in WebAssembly (presented at Pwn2Own 2024)
  • CVE-2024-3159: Out-of-bounds memory access in V8 (presented at Pwn2Own 2024)
  • CVE-2024-4671 – Use-after-free in Visuals
  • CVE-2024-4761 – Out-of-bounds write in V8
  • CVE-2024-4947 – Type confusion in V8

The latest Chrome version has now been rolled out as 125.0.6422.112 for Linux and 125.0.6422.112/.113 for Windows and macOS. Google also released Chrome for Android versions 125.0.6422.112/.113 with the same security fixes.

Opera Rolled-Out Update to Fix Chrome Zero-Day

The current version of Opera browser is based on Chromium, the same engine that Google Chrome uses. Opera released a subsequent patch on Friday to fix the same bug.

Dear Opera Users!

The latest stable release of Opera – 110.0.5130.39, incorporates a crucial 0-day fix for CVE-2024-5274, enhancing user security. This update ensures safer browsing for everyone.

Opera is available on Windows, macOS, Linux, Android and iOS.

Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.



Source link