Google fixes Chrome zero-day with in-the-wild exploit (CVE-2024-4671)
Google has fixed a Chrome zero-day vulnerability (CVE-2024-4671), an exploit for which exists in the wild.
About CVE-2024-4671
CVE-2024-4671 is a use after free vulnerability in the Visuals component that can be exploited by remote attackers to trigger an exploitable heap corruption via a specially crafted HTML page.
“Successful exploitation of this vulnerability could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” CIS explains.
“Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.”
The zero-day has been reported by an anonymous bug hunter and, according to Google, there’s an in-the-wild exploit for it. Though the company doesn’t explicitly say that the exploit is being used by attackers, chances are good that it is – or very soon will be.
The fixes
The vulnerability has been fixed in the stable desktop versions of Google Chrome:
- v124.0.6367.201/.202 for Mac and Windows
- v124.0.6367.201 for Linux
“The Extended Stable channel has been updated to 124.0.6367.201 for Mac and Windows which will roll out over the coming days/weeks,” the company added.
Users who have switched off automatic updating are advised to check for and implement the provided update, then restart the browser. Users who have automatic updating turned on and haven’t restarted the browser in a while should soon see a pop-up icon indicating a pending update.
UPDATE (May 14, 2024, 07:15 a.m. ET):
Google has patched another zero-day (CVE-2024-4761) likely exploited in the wild. It is an out of bounds write vulnerability in Chrome’s V8 JavaScript and WebAssembly engine.
Users of Chromium-based browsers such as Microsoft Edge, Brave, and Opera should expect fixes for that vulnerability soon. Vivaldi already has a fix.
source: HelpNetSecurity
Free security scan for your website
Top News:
Attackers are exploiting 2 zero-days in Palo Alto Networks firewalls (CVE-2024-0012, CVE-2024-9474)
November 18, 2024CWE top 25 most dangerous software weaknesses
November 21, 2024Chinese APT Gelsemium Targets Linux Systems with New WolfsBane Backdoor
November 21, 2024APT-K-47 Uses Hajj-Themed Lures to Deliver Advanced Asyncshell Malware
November 23, 2024Microsoft rolls out Recall to Windows Insiders with Copilot+ PCs
November 23, 2024Download: CIS Critical Security Controls v8.1
August 8, 2024