Google has recently released updates to address nine security vulnerabilities in its Chrome browser. Among these fixes is a patch for a new zero-day exploit that has been actively used in the wild.

New Zero-Day Vulnerability: CVE-2024-4947

This vulnerability was discovered and reported by Kaspersky researchers Vasily Berdnikov and Boris Larin on May 13, 2024. Due to the active exploitation of CVE-2024-4947, Google has withheld specific details about the attacks to prevent further abuse.

Description and Impact

CVE-2024-4947 is a critical type confusion vulnerability in the V8 JavaScript and WebAssembly engine used by Chrome. Type confusion occurs when a program accesses a resource using an incompatible type, leading to severe consequences such as out-of-bounds memory access, application crashes, and the potential for arbitrary code execution.

This vulnerability was discovered and reported by Kaspersky researchers Vasily Berdnikov and Boris Larin on May 13, 2024. It highlights a significant security flaw in the way the V8 engine handles type checks, making it a target for exploitation.

Google has promptly addressed this issue by releasing an update to patch the vulnerability. Users are advised to upgrade their browsers to the latest version to protect against potential attacks leveraging this flaw. Additionally, information about the specific nature of the attacks exploiting this vulnerability has been withheld to prevent further exploitation.

Exploitation in the Wild

Google has confirmed that the CVE-2024-4947 vulnerability is currently being actively exploited in the wild. This particular vulnerability, a type confusion bug in the V8 JavaScript and WebAssembly engine, poses significant security risks.

To mitigate the threat and prevent further exploitation, Google is withholding detailed information about the nature and methods of these attacks. This precautionary measure is standard practice in the cybersecurity community, aiming to limit the dissemination of exploit details that could be used by malicious actors.

Users are strongly advised to update their Chrome browsers to the latest version immediately. Additionally, those using Chromium-based browsers, such as Microsoft Edge, Brave, Opera, and Vivaldi, should ensure they apply the relevant updates as soon as they are available to maintain robust security against potential threats.

Recent Zero-Day Patches

The patch for CVE-2024-4947 marks the third zero-day vulnerability fixed by Google in a week. The two other recently patched zero-days are:

• CVE-2024-4671: Use-after-free in Visuals
• CVE-2024-4761: Out-of-bounds write in V8

Summary of Zero-Days Addressed in 2024

With the inclusion of CVE-2024-4947, Google has patched a total of seven zero-day vulnerabilities in Chrome since the beginning of the year. The details of these vulnerabilities are as follows:

• CVE-2024-0519: Out-of-bounds memory access in V8
• CVE-2024-2886: Use-after-free in WebCodecs (demonstrated at Pwn2Own 2024)
• CVE-2024-2887: Type confusion in WebAssembly (demonstrated at Pwn2Own 2024)
• CVE-2024-3159: Out-of-bounds memory access in V8 (demonstrated at Pwn2Own 2024)
• CVE-2024-4671: Use-after-free in Visuals
• CVE-2024-4761: Out-of-bounds write in V8
• CVE-2024-4947: Type confusion in V8

Recommended Actions

• Chrome Users: Users are strongly advised to upgrade to Chrome version 125.0.6422.60/.61 for Windows and macOS, and version 125.0.6422.60 for Linux to mitigate these security threats.
• Users of Chromium-Based Browsers: Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi should also apply the available fixes as soon as possible to ensure their systems are protected.

Remediation Steps for Addressing Chrome Vulnerabilities

1. Update Chrome to the Latest Version: Ensure your Chrome browser is updated to version 125.0.6422.60/.61 for Windows and macOS, and version 125.0.6422.60 for Linux. This update includes patches for the latest vulnerabilities.
2. Enable Automatic Updates: Turn on automatic updates for Chrome to ensure that you receive the latest security patches as soon as they are released.
3. Check for Updates in Chromium-Based Browsers: If you use browsers such as Microsoft Edge, Brave, Opera, or Vivaldi, check for and apply any available updates that address the vulnerabilities patched in Chrome.
4. Restart Your Browser: After updating, restart your browser to ensure that the patches are fully applied.
5. Monitor Security Advisories: Regularly review security advisories from Google and other relevant sources to stay informed about new vulnerabilities and patches.
6. Enable Enhanced Security Features: Utilize Chrome’s enhanced security features, such as site isolation and advanced phishing protection, to add additional layers of security.

Stay Informed and Educated: Educate yourself and your team about common security threats and best practices for safe browsing to minimize the risk of exploitation.