Google Scrambles to Patch Chrome Zero-Day Vulnerabilities Allowing Sandbox Escape

May 14, 2024

Google has issued an immediate security update for its Chrome browser to address a zero-day vulnerability, marked as CVE-2024-4761. This high-severity flaw exists in Google's open-source V8 JavaScript and WebAssembly engine, affecting not only Chrome but also other Chromium-based browsers. It allows a remote attacker, who has already compromised the renderer process, to potentially perform a sandbox escape using a specially crafted HTML page. This means they can move beyond the browser tab to access other web applications or the network. According to Malwarebytes, an exploit 'makes it possible to manipulate parts of the memory which are allocated to more critical functions,' enabling an attacker 'to write code to a part of the memory where it will be executed with permissions that the program and user should not have.'

Google has confirmed that the exploit code exists, but it has not specified whether active exploitation is underway. Casey Ellis, founder and chief strategy officer at Bugcrowd, warned in an emailed statement that active exploitation might soon commence given the exploit's existence.

Earlier, Google also patched CVE-2024-4671, a use-after-free (UAF) flaw in Visuals in Google Chrome. This vulnerability was being exploited before the patch was released and also allows a remote attacker to perform a sandbox escape via a crafted HTML page.

The two vulnerabilities disclosed this week follow three other bugs revealed at Pwn2Own in March that were already being exploited: CVE-2024-2887, CVE-2024-2886, and CVE-2024-3159. In January, Google patched its first exploited zero-day of the year, CVE-2024-0519.

In 2023, Mandiant, a part of Google, tracked eight total Chrome zero-days being used by threat actors in the wild before being patched. This indicates a year-over-year increase in zero-day exploitation. Mandiant's report in March found that there were 50% more zero-day vulnerabilities exploited in the wild in 2023 than in 2022, mostly by nation-state actors for data theft and cyber-espionage.

Callie Guenther, senior manager of Cyber Threat Research at Critical Start, stated in an email that the frequent discovery of zero-day vulnerabilities in Chrome has significant intelligence implications. These vulnerabilities can be exploited by threat actors, including state-sponsored groups, for cyber espionage, sensitive information theft, and targeted attacks.

To avoid data breaches, users should ensure their systems are patched. Chrome updates automatically unless the browser is not closed or an extension prevents the update. Users can manually start the update by clicking 'settings' and then 'about Chrome.' Security teams should ensure all Chrome installations are updated immediately and implement additional security measures like browser isolation and sandboxing.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.