Chrome patches fourth zero-day flaw this month

Google released a new stable update for its Chrome browser in order to fix an actively exploited vulnerability. This brings the number of zero-day flaws patched this month to four and eight in total for the year.

Four actively exploited flaws in a single month is an unusually high number for Chrome, a browser that’s known for its solid security engineering and exploit mitigations. For comparison, eight zero-day flaws were found and patched in Chrome over the course of 2023 and nine in 2022.

On top of that, a full workable Chrome exploit chain that leads to remote code execution and privilege escalation is valued at $500,000 on the exploit market so the type of threat actors that can afford to use and burn such exploits is very limited and generally includes nation states and vendors of surveillance software sold to government agencies.

What is known about the vulnerability

The newly patched vulnerability is tracked as CVE-2024-5274 and is described as a type confusion issue in the Chrome V8 JavaScript engine. Type confusion is a type of error that can occur in programming languages that use dynamic typing such as JavaScript and can be exploited by modifying the type of a given variable with the goal of triggering unintended behavior.

The Chrome team rates the vulnerability as high severity and credits Clément Lecigne of Google’s Threat Analysis Group and Brendon Tiszka of Chrome Security for reporting it on 20 May. The team also notes that it is aware that an exploit for this vulnerability exists in the wild.

While no technical details have been released about the vulnerability for safety reasons to allow users to update, it is possible that this could be an arbitrary code execution flaw. Such flaws would normally be rated critical in many software programs, but the Chrome V8 engine has a memory heap sandbox and other security mechanisms such as JITCage that make exploitation harder. For a successful exploit, the attackers would likely have needed to chain this vulnerability with others that bypass these mitigations.

The previous zero-days patched this month were:

• CVE-2024-4947 patched on 15 May. This was another type confusion flaw in V8 that was reported by Vasily Berdnikov and Boris Larin of Kaspersky Lab and which was used in targeted attacks according to Kaspersky.
• CVE-2024-4761 patched on 13 May. An out of bounds memory write in V8 reported by an Anonymous researcher.
• CVE-2024-4671 patched on 9 May. A use after free flaw in the browser’s Visuals component that was reported by an Anonymous researcher.

In a March report, researchers from Google’s Threat Analysis Group (TAG) and Mandiant, a Google subsidiary, said that commercial surveillance vendors were responsible for over 60% of the 37 exploits impacting browsers and mobile devices in 2023, including 13 of the 37 zero-day vulnerabilities that impacted Chrome and Android.