Google is rolling out an important update to Chrome, addressing a critical security flaw among other vulnerabilities. This update is available for Chrome versions on Windows, Mac, and Linux platforms.
The critical flaw, identified as CVE-2024-4058, involves a type confusion error in ANGLE, a widely-used graphics library that also supports other major browsers like Firefox and WebKit. This vulnerability was discovered by Toan Pham and Bao Pham of Qrious Secure on April 2, 2024, and is notable for its potential to allow attackers to execute malicious code remotely, thereby bypassing the browser's protective sandbox environment.
The critical nature of CVE-2024-4058 implies significant risk, potentially affecting not just Chrome but other browsers and software that rely on the ANGLE library. Exploitation of this bug could lead to severe consequences such as data theft, malware installation, or complete system compromise.
The security update also addresses additional vulnerabilities, including an out-of-bounds read in the V8 API and a use-after-free issue in Dawn, both marked with a high severity rating. These flaws were identified and reported in early April by researchers Eirik and wgslfuzz, respectively.
Google's internal security measures, such as ongoing audits and the use of tools like AddressSanitizer and MemorySanitizer, contributed to a range of other fixes included in this release.
The discovery and patching of such vulnerabilities is one thing, but users applying the available update is the most crucial step. Threat actors can develop exploits based on the patch within 24 hours, as demonstrated many times in the past with active 1-day flaw exploitation.
Users are advised to update their Chrome browsers immediately to avoid potential exploitation by going to Settings > About Chrome, and restarting the browser after the update is done.
Organizations that cannot afford to apply updates immediately might want to consider measures such as restricting internet access or implementing remote browser isolation to minimize risks associated with web-based threats.
Hackers Exploit 0-Day Flaws in Cisco Products to Infiltrate Govt Networks
Leave a Reply