Google has released an emergency security update for the Google Chrome web browser to patch a high-severity vulnerability that attackers are actively exploiting in the wild.
The zero-day flaw, CVE-2024–4947, is a confusion bug in the V8 JavaScript engine that could allow remote code execution attacks. Type confusion occurs when a program incorrectly handles the specific type of object it is processing, leading to unexpected and potentially dangerous behavior. In this scenario, the V8 engine is deceived into misinterpreting an object as a different type, which can allow malicious code to execute, posing a significant risk to the system’s security. This vulnerability is dangerous because it can be exploited to cause heap corruption by crafting a specific HTML page that triggers the bug.
Attack Overview
Crafted HTML Page: Attackers can create a specially designed HTML page with malicious JavaScript code, which is often obfuscated to avoid detection by security software.
Imagine you receive an email from an unknown user containing an article link. When you click the link, the webpage appears normal, but a malicious script executes arbitrary codes in the background without you knowing it.
Technical Examples
- The attacker writes JavaScript code that triggers this vulnerability by confusing the engine into treating an object as a different type.
- The attacker’s code could overwrite a return address on the stack with a pointer to their malicious code.
- When the function returns, instead of returning to the legitimate code flow, it jumps to the attacker’s code, which is now executed with the privileges of the browser process.
Update Recommended
To mitigate potential threats, users should upgrade to Chrome version 125.0.6422.60/.61 for Windows and macOS and version 125.0.6422.60 for Linux. Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.
Security researchers Vasily Berdnikov and Boris Larin from Kaspersky discovered the vulnerability on May 13th and reported it to Google.
With CVE-2024-4947, a total of seven zero-days have been resolved by Google in Chrome since the start of the year
- CVE-2024-0519 – Out-of-bounds memory access in V8
- CVE-2024-2886 – Use-after-free in WebCodecs (demonstrated at Pwn2Own 2024)
- CVE-2024-2887 – Type confusion in WebAssembly (demonstrated at Pwn2Own 2024)
- CVE-2024-3159 – Out-of-bounds memory access in V8 (demonstrated at Pwn2Own 2024)
- CVE-2024-4671 – Use-after-free in Visuals
- CVE-2024-4761 – Out-of-bounds write in V8
~ Author : Hashan Nethkalum ~