It's Not May the 6th, but It’s the 6th Chrome Zero-Day This Year
By: Jim Stickley and Tina Davis
May 15, 2024
Google Chrome users have been on a wild zero-day ride lately. This past week, Google released its 6th, yes that’s 6, patch for a zero-day vulnerability already in 2024. It was discovered by a researcher who has remained nameless to this point. This issue is considered high-severity. The potential good news, is that a fix has been released for Windows and Mac and one for Linux should be available very soon.
This one, which although an exploit for it is known, has not yet been exploited if you believe Google. However, that doesn’t mean you shouldn’t be on top of updating your Chrome browser. This is especially urgent if you haven’t updated after any of the other five patches were released. And just because Google doesn’t have any evidence of it being exploited, does not mean it hasn’t been, nor does it mean it won’t be now that the news is out.
It’s very simple to update Chrome. Just close the browser and reopen it and it'll even reopen your tabs. Another way to know there’s an update ready for you is to look at the upper right corner. If you log in to Google and it says “Paused,” there’s likely an update. Then you can click it to relaunch and reopen your tabs.
If you want the basics on what it can do, according to the National Institute of Standards and Technology, this “Out of bounds write in V8 in Google Chrome prior to 124.0.6367.207 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page.” It’s listed as CVE-2024-4671 if you want to look into it further. Suffice it to say, it can allow an attacker remote access to your device.
For Chrome users at the office, their browsers should all be updated and all users should continually be updated on the latest cybersecurity threats and mitigations.
In case you're curious about the other five, as listed from Bleeping Computer:
- CVE-2024-0519: A high-severity out-of-bounds memory access weakness which may allow remote attackers to use a specially crafted HTML page, leading to unauthorized access to sensitive information.
- CVE-2024-2887: A high-severity flaw that could lead to remote code execution (RCE) exploits, again leveraging a crafted HTML page.
- CVE-2024-2886: A use-after-free vulnerability that may allow remote attackers to perform arbitrary reads and writes via crafted HTML pages, leading to remote code execution.
- CVE-2024-3159: A high-severity vulnerability that allows remote attackers to exploit it using specially crafted HTML pages to access data.
- CVE-2024-4671: A high-severity flaw that handles the rendering and display of content on the browser.