In every operating system or application, there exists the risk of a security flaw. A gap in defense for which there is no patch as the developer had no idea it existed – ultimately giving them “zero days” to prepare for it or fix it before threat actors attempt to exploit it. These are aptly called zero-day vulnerabilities. While most developers will try to avoid the risk of a zero-day vulnerability, it can pop up in almost any organization – a fact that tech giant, Google, is all too familiar with.
In this blog article, we take a look at the recent Google Chrome vulnerability found by Google and how it has affected users. We also explore the previous Google vulnerabilities that have been found and provide some security tips for organizations and individuals alike to follow. First, let’s try to understand the latest Google Chrome zero-day vulnerability to threaten users.
US Government Warns About Google Chrome Vulnerability
Google has just revealed that it has patched its tenth zero-day that has been exploited in the wild since the start of 2024. Tracked as CVE-2024-7965, the Google Chrome vulnerability has been described by the NIST National Vulnerability Database (NVD) as an inappropriate implementation in V8 in Google Chrome prior to 128.0.6613.84 that allows remote attackers to potentially exploit heap corruption via a crafted HTML page.
The “inappropriate implementation in V8” label means that the vulnerability was created due to an improperly designed or implemented software or system - leading to unintended behavior that can be exploited by attackers and also means that attackers could potentially reach unexpected memory access as well.
The discovery of the CVE-2024-7965 vulnerability has been credited to one of Google’s Bug Bounty winners named TheDog and the vulnerability is now confirmed to have been caused by a bug in the compiler backend when selecting the instructions to generate for just-in-time (JIT) compilation. With a CVSS score of 8.8, the flaw also represents a severe risk that could potentially compromise the confidentiality and integrity of affected systems.
The latest Google Chrome zero-day vulnerability comes mere days after the company announced the patching of another vulnerability, CVE-2024-7971 – which was described as a type confusion bug in the V8 JavaScript and WebAssembly engine. As a result of the first CVE-2024-7971 vulnerability being found on the 19th of August, the US government issued a warning to federal employees to update their browsers within 21 days or stop using them completely. While the warning only applies to federal agencies, all organizations are advised to prioritize applying patches for the vulnerabilities listed in the KEV catalog.
In the updated advisory released by Google on the 21st of August that announced the patch to Chrome 128 and its release to the stable channel, Google noted that it was “aware that exploits for CVE-2024-7971 and CVE-2024-7965 exist in the wild. Now, let’s look at the impact of the Google Chrome zero-day vulnerability.
Impact of Google Chrome Vulnerability
CISA has advised that the Chromium vulnerability could affect multiple web browsers - including “Google Chrome, Microsoft Edge, and Opera.” This means that any user with a Chromium browser could be affected. While Google has confirmed that the latest vulnerability has been actively exploited in the wild, the company has yet to share additional information about any attacks.
However, the exploitation of the CVE-2024-7965 vulnerability will require user interaction to be effective - such as visiting a compromised webpage that leads to unauthorized access or the execution of malicious code. Let’s review what Google Chrome users should do to protect themselves from this vulnerability.
What Should Chrome Users Do?
In these cases, the general rule of thumb is to immediately update your Google Chrome browser to receive the latest security patches and protect yourself from hackers trying to exploit the vulnerability. Users are encouraged to upgrade to Chrome version 128.0.6613.84/.85 for Windows and macOS, and version 128.0.6613.84 for Linux to mitigate potential threats. While most Google Chrome updates are installed automatically, users can update their browsers manually on their desktops by:
- Opening up the Chrome menu
- Selecting “Help”
- Selecting “About Google Chrome”
- Choosing to “Update Google Chrome” if the option is available.
- Restarting your computer.
It’s important to note that if your browser doesn’t give you the option to update Google Chrome, you are probably already using the latest version. Zero-day vulnerabilities are an unfortunate but common security incident that companies have to face. Google has already faced its fair share of flaws that have threatened the tech empire’s reputation and users’ safety. We’ll now look at some of the Google vulnerabilities that have made headlines in the past.
Recent Google Chrome Vulnerabilities
Google has suffered several zero-day vulnerabilities since the beginning of 2024 and while the company has worked hard to patch them quickly, the sheer amount of security flaws found is still quite alarming. These are the nine other Google vulnerabilities found so far this year:
- CVE-2024-0519: This was a high-severity vulnerability with an out-of-bounds memory access weakness within the Chrome V8 JavaScript engine - allowing remote attackers to exploit heap corruption via a specially crafted HTML page and possibly lead to unauthorized access to sensitive information. This vulnerability has been addressed by updating to a newer version of Chrome.
- CVE-2024-2887: This was a type confusion flaw in the WebAssembly standard. This high-severity vulnerability could lead to remote code execution (RCE) exploits leveraging a crafted HTML page and out-of-bounds memory access. This vulnerability was demonstrated at Pwn2Own 2024 and has been patched in Chrome updates.
- CVE-2024-2886: A use-after-free vulnerability in the WebCodecs API used by web applications to encode and decode audio and video. Remote attackers can use this vulnerability to perform arbitrary reads and writes via crafted HTML pages - leading to remote code execution. This flaw was also demonstrated at Pwn2Own 2024 and has been resolved in subsequent Chrome updates.
- CVE-2024-3159: This high-severity vulnerability is caused by an out-of-bounds read in the Chrome V8 JavaScript engine. It can be exploited by remote attackers using specially crafted HTML pages to access data beyond the allocated memory buffer and cause heap corruption – often used to exfiltrate sensitive information. This was another vulnerability demonstrated at Pwn2Own 2024 that has since been fixed in newer Chrome versions.
- CVE-2024-4671: A high-severity vulnerability in the Visuals component that handles the rendering and displaying of content in the browser. This use-after-free vulnerability can lead to the execution of arbitrary code and has since been patched in recent Chrome updates.
- CVE-2024-4761: This is an out-of-bounds write problem in Chrome's V8 JavaScript engine that is responsible for executing JS code in the application.
- CVE-2024-4947: This vulnerability is also a type confusion weakness in the Chrome V8 JavaScript engine that allows the execution of arbitrary code execution on target devices. This flaw has been actively exploited in the wild and has been urgently updated with patches from Chrome.
- CVE-2024-5274: This is another type of confusion vulnerability in the Chrome V8 JavaScript engine that can lead to crashes, data corruption, or arbitrary code execution. This bug allows for out-of-bounds memory access as well. Google has acknowledged active exploitation of this vulnerability and has issued patches.
- CVE-2024-7971: The second-last vulnerability for Google Chrome involves a type of confusion issue within the V8 JavaScript engine. Exploitation of this flaw can lead to arbitrary code execution.
While these security vulnerabilities may be daunting for most organizations and regular users, it’s also important to know that you can protect yourself from zero-day exploits and attacks by simply following proper cyber hygiene practices – a few of which we’ll now detail below.
Cybersecurity Tips for Organizations and Individuals
Cybersecurity can be tricky in a time of evolving threats that can stem from threat actors themselves or simple flaws in systems that they might take advantage of. This is why both businesses and individuals need to implement proper cybersecurity practices to stay prepared and safe. Here are some security tips that might help to ward off cyber attacks caused by zero-day vulnerabilities:
- Updating Your Software and Systems: This is one of the most crucial steps to safeguarding yourself and your organization from zero-day exploits. Regularly update all your systems to ensure that you have the latest security patches and fixes in place.
- Enabling Stronger Access Controls: Try to use a system of zero-trust to limit the amount of access unauthorized individuals have to your network and data.
- Use Strong Passwords: Always make use of a strong and complex password or use a password manager that will suggest strong passwords and keep them safe for you.
- Be Suspicious of Links: Do not open random links that you receive in emails or texts. Hackers will often use phishing methods to gain private information or inject malicious code.
- Use a Strong Firewall: Using a next-generation firewall will help you detect and mitigate cyber threats before they can enter your network.
- Train and Educate Employees: Instill cyber hygiene practices and cyber awareness in your workforce and train them to detect suspicious activity.
- Use Trusted Websites Only: Ensure that the websites you use have a small lock icon to show that they are secure and ensure that the website is using HTTPS before you give away personal or private information.
The latest addition to the Google Chrome vulnerability saga needs to be a reminder for all users to invest in fortified cybersecurity rather than simply expecting every system to operate without flaws. Contact Sangfor today for information on enhancing cloud infrastructure and cybersecurity or visit www.sangfor.com to learn more.