Google Rolls Out Chrome Fix For First Chrome Zero-Day Exploit of 2024

/in


Representative Image

Google has recently addressed the first Chrome zero-day vulnerability exploited in the wild in the new year with security updates. The vulnerability, identified as CVE-2024-0519, is a high-severity issue related to an out-of-bounds memory access weakness in the Chrome V8 JavaScript engine. Attackers could exploit this vulnerability to gain unauthorized access to data beyond the memory buffer, potentially leading to exposure of sensitive information or causing a system crash.

What is a Zero Day Vulnerability?

A zero-day vulnerability refers to a security flaw in software or hardware that is actively exploited by attackers before the vendor or developer becomes aware of it. The term “zero-day” indicates that there are zero days of protection for users from the time the vulnerability is discovered by malicious actors until a fix or patch is made available.

Attacks on the real world

In response to reports of the CVE-2024-0519 exploit being used in real-world attacks, Google released security updates for users in the Stable Desktop channel. The patched versions were made available globally for Windows (120.0.6099.224/225), Mac (120.0.6099.234), and Linux (120.0.6099.224) users within a week of the vulnerability being reported to Google. Although the update may take some time to reach all impacted users, it was immediately accessible for manual installation, and Chrome users can also rely on the browser’s automatic update feature.

The vulnerability involves a situation where the expected sentinel is not located in the out-of-bounds memory, leading to excessive data being read. This can result in a segmentation fault or buffer overflow. MITRE explains that the product may modify an index or perform pointer arithmetic referencing a memory location outside the buffer boundaries, producing undefined or unexpected results. Besides unauthorized access to out-of-bounds memory, CVE-2024-0519 could be exploited to bypass protection mechanisms like ASLR, making it easier for attackers to achieve code execution through another weakness.

Google has not provided detailed information about the specific incidents where CVE-2024-0519 exploits were used. The company stated that access to bug details and…

Source…