Details of the use-after-free memory vulnerability were not publicly released, but Google says it’s aware an exploit for the bug exists. Credit: Growtika / Unsplash Google released a Chrome stable update Thursday to patch a high-risk severity vulnerability that was being exploited in the wild, the second zero-day to be patched in Chrome this year. The vulnerability, tracked as CVE-2024-4671, is described as a use-after-free memory bug in the browser’s Visual component. Details about the vulnerability are still restricted to public view, but the company said it is aware that an exploit for the flaw exists in the wild. The Chrome developers credited an anonymous third party with reporting the security issue on May 7. The vulnerability was patched two days later with the release of Chrome version 124.0.6367.201/.202 for Mac and Windows and version 124.0.6367.201 for Linux. A previous zero-day vulnerability was found in January Back in January, Chrome fixed another zero-day vulnerability located in the browser’s V8 JavaScript engine. That vulnerability was tracked as CVE-2024-0519 and was described as an out-of-bounds memory access. On their own, Chrome vulnerabilities are rarely critical because of the browser’s strong sandboxing and various anti-exploit mechanisms. Achieving remote code execution through Chrome usually requires an exploit chain that combines multiple vulnerabilities together. Such exploit chains are very expensive to develop. Exploit acquisition company Zerodium offers up to $500,000 for a Chrome remote code execution with local privilege escalation exploit. This means the developers or users of such exploits are typically well-funded threat actors such as nation-states or, as Google points out, commercial surveillance software vendors. Spyware vendors are responsible for most exploits In a March report, researchers from Google’s Threat Analysis Group (TAG) and Mandiant, a Google subsidiary, counted 97 zero-day exploits being used in attacks during 2023. Commercial surveillance vendors that sell spyware to government customers were responsible for over 60% of the 37 exploits impacting browsers and mobile devices, as well as for 13 of the 37 zero-day vulnerabilities that specifically impacted Google products: Chrome and Android. It’s worth noting that none of the eight zero-day vulnerabilities that impacted Google Chrome in 2023 were caused by use-after-free memory safety bugs. That’s mainly thanks to a new exploit mitigation technology called MiraclePtr that Google built into the browser in 2023. By comparison, half of the exploitable vulnerabilities in Chrome found in 2022 were user-after-free ones. Related content news Google ups bug bounties for ‘high quality’ Chrome hunters Security researchers can now earn a quarter million dollars reporting high-impact memory corruption vulnerabilities in Chrome. By CSO Staff and Mikael Markander 29 Aug 2024 3 mins Vulnerabilities news Critical plugin flaw opens over a million WordPress sites to RCE attacks The multilingual plugin is hit with a critical bug that can allow complete site compromise through remote code execution. By Shweta Sharma 28 Aug 2024 3 mins Vulnerabilities feature Is the vulnerability disclosure process glitched? How CISOs are being left in the dark Better communication and collaboration between researchers and vendors and improved bug reporting mechanisms could help address confusing and sometimes wholly suppressed bug reports. By Cynthia Brumfield 26 Aug 2024 10 mins CSO and CISO Threat and Vulnerability Management Data and Information Security news WordPress users not on Windows urged to update due to critical LiteSpeed Cache flaw Updating to version 6.4 or higher will prevent exploitation of the vulnerability that allows attacker to gain admin access. By Lynn Greiner 23 Aug 2024 3 mins Threat and Vulnerability Management Identity and Access Management Vulnerabilities PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe