Google Releases Critical Security Update for Chrome


Google has rolled out a critical security update for its Chrome browser, addressing a severe flaw that could lead to browser crashes. The update, now available on the Stable channel, brings Chrome to version 127.0.6533.88/89 for Windows and Mac and 127.0.6533.88 for Linux. This update will be distributed over the coming days and weeks.

The latest update includes three significant security fixes, two of which were reported by an external researcher known as “gelatin dessert.” The details of these fixes are as follows:

EHA

  • CVE-2024-6990: A critical vulnerability involving uninitialized use in Dawn, reported on July 15, 2024. This flaw could potentially allow attackers to exploit the browser, leading to crashes or other malicious activities.
  • CVE-2024-7255: A high-severity out-of-bounds read issue in WebTransport, reported by Marten Richter on July 13, 2024. This vulnerability could enable attackers to read sensitive information from other memory locations.
  • CVE-2024-7256: Another high-severity issue involving insufficient data validation in Dawn, reported on July 23, 2024. This flaw could be exploited to inject malicious data into the browser.

The “uninitialized use in Dawn” flaw (CVE-2024-6990) can significantly impact Chrome’s browser performance and stability. Dawn is a critical component of Chrome’s graphics pipeline, responsible for rendering web content efficiently across different platforms.

How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide

When uninitialized memory is used in Dawn, it can lead to unpredictable behavior, causing the browser to crash unexpectedly or freeze during normal operation.

This not only disrupts the user experience but also potentially exposes the system to security vulnerabilities. In severe cases, it could allow attackers to execute arbitrary code, potentially compromising the user’s system. 

In line with its policy, Google has restricted access to detailed information about these vulnerabilities until a majority of users have updated their browsers. This precaution is intended to prevent potential exploitation of these flaws before users can protect themselves.

Additionally, restrictions will remain if the vulnerabilities are found in third-party libraries that other projects also depend on but have not yet patched.

Google urges all Chrome users on Windows, Mac, and Linux platforms to update their browsers promptly to ensure they are protected against these vulnerabilities.

The update process is typically automatic, but users are advised to verify their browser version to confirm the update has been applied.

Google has expressed gratitude to all security researchers who contributed to identifying and reporting these vulnerabilities, helping to enhance the security of the Chrome browser.

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access



Source link