Google Patches Critical Chrome Vulnerability Created

Google Patches Critical Chrome Vulnerability Created

Google recently announced a Chrome update to version 124, addressing four security vulnerabilities, with the most severe being a critical type confusion bug in the ANGLE graphics layer engine, designated as CVE-2024-4058.

This critical vulnerability is significant as it can potentially be exploited remotely for arbitrary code execution or escaping the sandbox with minimal user interaction. Additionally, this update includes fixes for two high-severity issues: CVE-2024-4059, which involves an out-of-bounds read in the V8 API, and CVE-2024-4060, a use-after-free issue in the Dawn component.

The discovery of CVE-2024-4058 was credited to Qrious Secure, a group identifying themselves as seasoned hackers who enjoy uncovering and exploiting security flaws for both fun and profit. For their contribution, Google awarded them a $16,000 bounty. Qrious Secure has a history with Google, having previously reported other significant Chrome vulnerabilities earlier this year—CVE-2024-0517 and CVE-2024-0223, both of which have been patched.

These earlier vulnerabilities allowed for remote code execution and could potentially grant GPU privileges directly from JavaScript, respectively.

Despite the critical nature of CVE-2024-4058, Google has not reported any active exploitation of this flaw in the wild. While type confusion bugs are not uncommon in Chrome and are often found in the V8 JavaScript engine, this particular bug impacts a different component.

Affected Systems

affected from 124.0.6367.78 before 124.0.6367.78 

IoC’s

-

Recommended Solution(s)

The Stable channel has been updated to 124.0.6367.78/.79 for Windows and Mac. Linux version 124.0.6367.78 will be rolled out over the coming days/weeks.

Mitigations

-

CVE / CWE

CVE-2024-4058

Related Website(s)

• https://securityaffairs.com/162259/security/google-chrome-critical-flaw.html
• https://chromereleases.googleblog.com/2024/04/stable-channel-update-for-desktop_24.html

* Vulnerabilities with a CVSS 3.1 score between 7.0 and 8.9 are evaluated to be “high” whereas vulnerabilities with a CVSS 3.1 score between 9.0 and 10.0 are evaluated to be “critical”.