Google on Thursday released a patch for the Chrome browser for Mac and Windows, the fifth zero-day exploited for Chrome in 2024.
The flaw — CVE-2024-4671 — was described as a high-severity (8.8) “use-after-free” bug in the Visuals component that manages the rendering and display of content on Chrome.
In a May 9 blog post, Google said the bug was reported to them by an anonymous researcher on May 7.
Google acknowledged that they know that an exploit for CVE-2024-4671 exists in the wild. The company also said they plan to patch the Linux browser over the coming days or weeks.
While an exploit for the bug exists in the wild, we have seen no evidence of active exploitation, pointed out Drew Perry, chief innovation officer at Ontinue.
A “use-after-free” vulnerability often causes Chrome to crash instead of leading to remote code execution, Perry said, adding that chaining the bug with other vulnerabilities like a sandbox escape could come in handy to an attacker and lead to remote code execution, but significantly increases the sophistication of the attack.
“If I were to put my attacker hat back on, I would chain this to craft a more potent exploit against Chrome — combining CVE-2024-4671 with other active vulnerabilities could enhance the likelihood of a successful attack,” said Perry. "On its own, this CVE is not worthy of a weekend panic. However, if chained, often done by a more capable adversary, then things start to get interesting.”
Perry recommended that security pros check their current updates ring cycles in Intune and apply autopatch policies in an enterprise-controlled browser like Edge. If something falls out of a patch cycle and an endpoint gets hit, Perry said security teams should make sure they have robust detection and response capabilities in place to stop attackers from gaining a further foothold.
Georgia Weidman, founder and CTO at Shevirah Inc., added that a use-after-free vulnerability is a type of software flaw that occurs when a program continues to use a piece of memory after it has been freed (deallocated or released) back to the system.
“A real-world analogy would be if you check out of a hotel room, but the hotel does not deactivate your room key, you could later come back when the new guests are out and have access to their belongings,” said Weidman. “Use-after-free can lead to denial-of-service crashes, data leakage, or even, as in this case, code execution. Google Chrome automatically downloads and installs updates as they become available. However, new versions only take effect when the browser restarts, so be sure to relaunch your browser after updating.”
