Another Chrome Zero-day Vulnerability Exploited in the Wild (CVE-2024-4947)

Qualys Security Advisory

Google released a security advisory for the second time this week to address a vulnerability known to be exploited in the wild. In this update, Google addressed nine security vulnerabilities, one of which (CVE-2024-4947) is actively exploited.

The list of CVEs is as follows 

CVE-2024-4947

This is a type confusion vulnerability in the V8 JavaScript engine. Vasily Berdnikov and Boris Larin of Kaspersky reported the vulnerability to Google.

CVE-2024-4948

This is a use after free vulnerability in Dawn.

CVE-2024-4949

This is a use after free vulnerability in the V8 JavaScript engine. Ganjiang Zhou of ChaMd5-H1 team reported the vulnerability to Google.

CVE-2024-4950

This is an inappropriate implementation vulnerability in Downloads. Shaheen Fazim reported the vulnerability to Google.

This is the seventh zero-day vulnerability fixed in the year so far. The list includes:

  • CVE-2024-0519: Out-of-bounds memory access in V8
  • CVE-2024-2887: Type confusion in WebAssembly
  • CVE-2024-2886: Use-after-free in WebCodecs
  • CVE-2024-3159: Out-of-bounds memory access in V8
  • CVE-2024-4671: Use-after-free in Visuals
  • CVE-2024-4761: Out-of-bounds write in V8

Affected Versions

Google Chrome versions before 125.0.6422.60 are affected by this vulnerability.

Mitigation

Customers are requested to upgrade to the latest stable channel version 125.0.6422.60/.61 for Mac and Windows and 125.0.6422.60 for Linux.

For more information, please refer to the Google Chrome Release Page.

Qualys Detection

Qualys customers can scan their devices with QID 379827 to detect vulnerable assets.

Rapid Response with Patch Management (PM)

Qualys Patch Management and its Zero-Touch Patching feature provide a seamless, automated process of patching a vulnerability like this.

Zero-Touch Patching identifies the most vulnerable products in your environment and automates the deployment of necessary patches and configuration adjustments. This not only streamlines the patching process but also ensures vulnerabilities are addressed promptly.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References
https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_15.html

READ MORE

Leave a Reply

Your email address will not be published. Required fields are marked *