The past week has been a nightmare for Google and its billions of Chrome browser users, as three actively exploited vulnerabilities have been confirmed. The US government has added one of these vulnerabilities to its list of known active attacks, giving federal agencies until June 6 to update Chrome instances. It is important for users to ensure that their browser updates have been installed by actively checking for the updates.
The first vulnerability, CVE-2024-4671, was reported by Google on May 9 as being exploited in the wild. This vulnerability is a “use after free” issue that allows attackers to abuse pointers to vacated memory. Just a few days later, on May 13, another vulnerability, CVE-2024-4761, was confirmed to be actively exploited in the wild. This vulnerability affects Chrome’s V8 Javascript engine by creating an “out of bounds” memory issue that can be used to target the browser with malicious pages.
The US Cybersecurity & Infrastructure Security Agency (CISA) has added the second vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, warning that it could affect multiple web browsers that use Chromium, including Google Chrome, Microsoft Edge, and Opera. Just two days after the second vulnerability, a third vulnerability, CVE-2024-4947, was confirmed to be actively exploited. This vulnerability is a “type confusion” issue that can be used to attack users with malicious HTML pages.
While most users have Chrome set to update automatically, it is important to fully close and relaunch the browser to ensure that the updates have been fully installed. Given the severity of three zero-day vulnerabilities being exploited in a short period of time, it is recommended that users manually close and relaunch Chrome to ensure that all updates have been successfully installed. Users may also want to consider rebooting their devices as an additional precaution, though this should not cause significant issues with Chrome.
The high number of vulnerabilities targeting Chrome highlights the platform’s complexity and attractiveness to attackers due to its widespread use. It is a constant battle between security researchers and attackers to find and exploit vulnerabilities in popular software like Chrome. Thankfully, Google’s emergency updates have been timely, and users are encouraged to take the necessary steps to protect their devices and data from potential attacks. By actively monitoring for updates and taking precautions such as closing and relaunching Chrome, users can help safeguard against any potential security threats.
