Cybersecurity Advisory: Zero-Day Vulnerability Exploited in Google Chrome - Immediate Action Required
Background: This zero-day vulnerability represents the first actively exploited flaw patched by Google in Chrome in 2024. In the previous year, Google successfully addressed eight actively exploited zero-days in the browser.
Summary: Google has released critical updates addressing four security vulnerabilities in the Chrome browser, one of which is a zero-day flaw actively exploited by threat actors. Tracked as CVE-2024-0519, this vulnerability involves an out-of-bounds memory access in the V8 JavaScript and WebAssembly engine, posing a significant risk of remote code execution.
Details: The CVE-2024-0519 vulnerability allows attackers to read out-of-bounds memory, potentially obtaining sensitive values like memory addresses. Exploiting this flaw can bypass protection mechanisms such as ASLR, increasing the likelihood of achieving code execution rather than just causing a denial of service. The issue was reported anonymously on January 11, 2024, and additional details regarding the attacks and threat actors are intentionally withheld to prevent further exploitation.
Impact: Successful exploitation of this vulnerability could lead to heap corruption via a crafted HTML page, enabling remote attackers to compromise system integrity and potentially execute arbitrary code on affected devices.
Recommended Action:
- Update Chrome Immediately: Users are strongly urged to update Google Chrome to version 120.0.6099.224/225 (Windows), 120.0.6099.234 (macOS), or 120.0.6099.224 (Linux) to mitigate potential threats.
- Chromium-Based Browsers: Users of Chromium-based browsers, including Microsoft Edge, Brave, Opera, and Vivaldi, should apply the available fixes promptly when released.