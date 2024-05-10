



Google on Thursday released a patch for its Chrome browser for Mac and Windows, making it the fifth zero-day to be exploited in Chrome in 2024.

Defect CVE-2024-4671 is described as a high-severity (8.8) use-after-free bug in the Visuals component that manages content rendering and display in Chrome.

Google said in a May 9 blog post that the bug was reported by an anonymous researcher on May 7.

Google has confirmed that it is aware that an exploit for CVE-2024-4671 exists in the wild. The company also said it plans to patch its Linux browser in the coming days and weeks.

Drew Perry, chief innovation officer at Ontinue, noted that while exploits of this bug do exist, they have not found any evidence of active exploitation.

Perry said that use-after-free vulnerabilities often cause Chrome to crash rather than leading to remote code execution, and that cascading the bug with other vulnerabilities such as sandbox escapes can cause problems. , adding that it could be useful for attackers and could lead to remote code execution. The sophistication of attacks is greatly increased.

If I were to put on my attacker hat, I would chain this together and combine CVE-2024-4671 with other ongoing vulnerabilities to create a more powerful exploit against Chrome. This increases the chances of a successful attack, Perry said. “This CVE of his isn't worth a weekend of panic on its own. But when chained together by a more capable opponent, things start to get interesting.

Perry recommended that security professionals check the current update ring cycle in Intune and apply automatic patching policies on browsers managed by companies such as Edge. Perry said that if something leaks out of a patch cycle and endpoints are attacked, security teams have robust detection and response capabilities in place to prevent attackers from gaining further foothold. He said he needed to confirm.

Georgia Weidman, founder and chief technology officer (CTO) of Shevirah Inc. He added that it is a type of software defect that occurs when the software continues to run. system.

In a real-world analogy, when you check out of a hotel room, the hotel doesn't disable the room key, so you can come back later and access your belongings when a new guest leaves. said Wideman. Use-after-free can lead to denial-of-service crashes, data leaks, and even code execution as in this case. Google Chrome automatically downloads and installs updates when they become available. However, the new version will only take effect when you restart your browser, so be sure to restart your browser after updating.

