Google released a security advisory for the second time this week to address a vulnerability known to be exploited in the wild. In this update, Google addressed nine security vulnerabilities, one of which (CVE-2024-4947) is actively exploited.
CISA acknowledged the active exploitation of CVE-2024-4947 by adding it to its Known Exploited Vulnerabilities Catalog. CISA requested users to patch the flaw before June 10, 2024.
The list of CVEs is as follows
CVE-2024-4947
This is a type confusion vulnerability in the V8 JavaScript engine. Vasily Berdnikov and Boris Larin of Kaspersky reported the vulnerability to Google.
CVE-2024-4948
This is a use after free vulnerability in Dawn.
CVE-2024-4949
This is a use after free vulnerability in the V8 JavaScript engine. Ganjiang Zhou of ChaMd5-H1 team reported the vulnerability to Google.
CVE-2024-4950
This is an inappropriate implementation vulnerability in Downloads. Shaheen Fazim reported the vulnerability to Google.
This is the seventh zero-day vulnerability fixed in the year so far. The list includes:
- CVE-2024-0519: Out-of-bounds memory access in V8
- CVE-2024-2887: Type confusion in WebAssembly
- CVE-2024-2886: Use-after-free in WebCodecs
- CVE-2024-3159: Out-of-bounds memory access in V8
- CVE-2024-4671: Use-after-free in Visuals
- CVE-2024-4761: Out-of-bounds write in V8
Affected Versions
Google Chrome versions before 125.0.6422.60 are affected by this vulnerability.
Mitigation
Customers are requested to upgrade to the latest stable channel version 125.0.6422.60/.61 for Mac and Windows and 125.0.6422.60 for Linux.
For more information, please refer to the Google Chrome Release Page.
Qualys Detection
Qualys customers can scan their devices with QIDs 379827 and 379835 to detect vulnerable assets.
Microsoft has released the Edge Stable Channel (Version 124.0.2478.109) to address CVE-2024-4947, which the Chromium team has reported as being exploited in the wild.
Rapid Response with Patch Management (PM)
Qualys Patch Management and its Zero-Touch Patching feature provide a seamless, automated process of patching a vulnerability like this.
Zero-Touch Patching identifies the most vulnerable products in your environment and automates the deployment of necessary patches and configuration adjustments. This not only streamlines the patching process but also ensures vulnerabilities are addressed promptly.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_15.html
