Source: Kristoffer Tripplaar via Alamy Stock Photo

Google has released an emergency security update for its Chrome browser, including a patch for a zero-day vulnerability that has exploit code released in the wild that could lead to data theft, lateral movement, malware implantation, and more.

It's the second zero-day that Google has patched in the past week, and the sixth for the year so far.

The latest update, to version 124.0.6367.207, includes a patch for CVE-2024-4761, a high-severity out-of-bounds write in Google's open source V8 JavaScript and WebAssembly engine (affecting Chromium browsers as well). It allows a remote attacker who has compromised the renderer process to potentially perform a sandbox escape (which means moving beyond the browser tab to pivot to other Web apps or the network) via a crafted HTML page.

An exploit "makes it possible to manipulate parts of the memory which are allocated to more critical functions," allowing an attacker "to write code to a part of the memory where it will be executed with permissions that the program and user should not have," according to a Malwarebytes overview of the bug.

Google noted that exploit code exists but stopped short of saying that active exploitation is underway.

"An exploit exists for this vulnerability in the wild, and while Google suggests that they haven’t seen active exploitation in the wild, the fact that an exploit exists suggests that this will soon commence," Casey Ellis, founder and chief strategy officer at Bugcrowd, wrote in an emailed statement.

Meanwhile, four days ago, Google patched CVE-2024-4671, a use-after-free (UAF) flaw in Visuals in Google Chrome prior to version 124.0.6367.201. This one was being exploited in the wild before the patch was released, and it also allows a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.

"Exploitation is possible by getting the target to open a specific, specially crafted webpage, so the vulnerability is suitable for exploitation as a drive-by attack," according to Malwarebytes.

While both bugs allow sandbox escape and require a compromise of the renderer process, it's unclear if the two are related. As usual, Google has declined to offer details on either vulnerability.

Sixth Chrome Zero-Day for 2024

The two vulnerabilities disclosed this week follow three other bugs revealed at Pwn2Own in March that were already being exploited: CVE-2024-2887 (type-confusion issue in WebAssembly); CVE-2024-2886 (UAF issue in WebCodecs); and CVE-2024-3159 (out-of-bounds memory access in V8).

And in January, Google patched its first exploited zero-day of the year, CVE-2024-0519: an out-of-bounds memory access bug in the Chrome JavaScript engine.

In contrast, for the entirety of 2023, Mandiant, part of Google, tracked eight total Chrome zero-days being used by threat actors in the wild prior to patching, indicating an increasing volume of zero-day exploitation year-over-year. This dovetails with Mandiant findings in March that there were 50% more zero-day vulnerabilities exploited in the wild overall in 2023 than in 2022.

The majority of those exploitations were in pursuit of data theft and cyber-espionage efforts on the part of nation-state actors, the report found.

"The frequent discovery of zero-day vulnerabilities in Chrome has significant intelligence implications," Callie Guenther, senior manager of Cyber Threat Research at Critical Start, said in an emailed statement. "These vulnerabilities can be exploited by threat actors, including state-sponsored groups, to conduct cyber espionage, steal sensitive information, and launch targeted attacks."

To prevent data breaches and more, users should ensure their systems are patched. Chrome will update automatically, unless a user doesn't close the browser or an extension prevents the update. To be on the safe side, users can manually start the update by clicking "settings" and then "about Chrome."

Security teams should ensure all Chrome installations are updated immediately. Additional steps would be to implement additional security measures, such as browser isolation and sandboxing.

"An emergency patch without details is basically Google’s highest level of alert," Ellis said. "It bears repeating that Chrome will save and reopen non-Incognito tabs, so if losing your place is stopping you or someone you know from applying this patch, you shouldn’t delay."

For more information on dealing with data breaches and what they mean for your organizations, don't miss "Anatomy of a Data Breach: What to Do if It Happens to You," a free Dark Reading virtual event scheduled for June 20.