Aug 23 2024

Chrome Zero-day Vulnerability Actively Exploited in the Wild

Category: Web Security,Zero daydisc7 @ 12:41 pm
https://gbhackers.com/chrome-zero-day-vulnerability-2/

Google has announced the release of Chrome 128 to the stable channel for Windows, Mac, and Linux.

This update, Chrome 128.0.6613.84 for Linux and 128.0.6613.84/.85 for Windows and Mac addresses a critical zero-day vulnerability actively exploited in the wild.

The update includes 38 security fixes, with particular attention to those contributed by external researchers.

Details of the Zero-Day Vulnerability

The Chrome team has been working diligently to address a zero-day vulnerability that has been actively exploited.

The vulnerability, CVE-2024-7971, involves type confusion in V8, Chrome’s open-source JavaScript engine.

The Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) reported this flaw on August 19, 2024.

While the specific details of the exploit remain restricted to protect users, the fix’s urgency underscores the vulnerability’s potential severity.

The Chrome team has emphasized that access to bug details and links will remain restricted until most users have updated their browsers.

This precaution ensures that users are protected before the vulnerability details are public, preventing further exploitation.

In addition to the zero-day vulnerability, the Chrome 128 update includes a wide range of security fixes.

Below is a table summarizing the key vulnerabilities addressed in this update:

BountyCVE IDSeverityDescriptionReported On
$36,000CVE-2024-7964HighUse after free in Passwords2024-08-08
$11,000CVE-2024-7965HighInappropriate implementation in V82024-07-30
$10,000CVE-2024-7966HighInappropriate Implementation in Permissions2024-07-25
$7,000CVE-2024-7967HighHeap buffer overflow in Fonts2024-07-27
$1,000CVE-2024-7968HighUse after free in Autofill2024-06-25
TBDCVE-2024-7969HighType Confusion in V82024-07-09
TBDCVE-2024-7971HighType confusion in V82024-08-19
$11,000CVE-2024-7972MediumInappropriate implementation in V82024-06-10
$7,000CVE-2024-7973MediumHeap buffer overflow in PDFium2024-06-06
$3,000CVE-2024-7974MediumInsufficient data validation in V8 API2024-05-07
$3,000CVE-2024-7975MediumInsufficient data validation in the Installer2024-06-16
$2,000CVE-2024-7976MediumInappropriate implementation in FedCM2024-05-10
$1,000CVE-2024-7977MediumInsufficient Policy Enforcement in Data Transfer2024-02-11
$1,000CVE-2024-7978MediumInsufficient data validation in the Installer2022-07-21
TBDCVE-2024-7979MediumInsufficient data validation in the Installer2024-07-29
TBDCVE-2024-7980MediumInappropriate Implementation in Views2024-07-30
$1,000CVE-2024-7981LowInappropriate Implementation in WebApp Installs2023-07-14
$500CVE-2024-8033LowInappropriate implementation in WebApp Installs2024-06-30
$500CVE-2024-8034LowInappropriate implementation in Custom Tabs2024-07-18
TBDCVE-2024-8035LowInappropriate implementation in Extensions2022-04-26

The Chrome team is committed to ensuring user safety and has expressed gratitude to the security researchers who contributed to these fixes.

Users are strongly encouraged to update their browsers to the latest version to protect against these vulnerabilities.

Google also plans to release more information about new features and major efforts in upcoming blog posts for Chrome and Chromium.

As cyber threats evolve, timely updates and collaboration with the security community remain crucial in safeguarding users worldwide.

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Zero Day: Expose Software Vulnerabilities And Eliminate Bugs

Tags: Chrome zero-day

Nov 29 2023

Chrome Zero-Day Vulnerability That Exploited In The Wild

Category: Information Security,Web Search Engine,Web Securitydisc7 @ 8:13 am
Chrome Zero-Day Vulnerability That Exploited In The Wild

Google has fixed the sixth Chrome zero-day bug that was exploited in the wild this year. The flaw, identified as CVE-2023-6345, is classified as an integer overflow in Skia, an open-source 2D graphics library written in C++.

“Google is aware that an exploit for CVE-2023-6345 exists in the wild,” Google said.

There are several potential risks associated with this high-severity zero-day vulnerability, including the execution of arbitrary code and crashes.

On November 24, 2023, Benoît Sevens and Clément Lecigne from Google’s Threat Analysis Group reported the issue.

Google has upgraded the Stable channel version 119.0.6045.199 for Mac and Linux and 119.0.6045.199/.200 for Windows, addressing the year’s sixth actively exploited zero-day vulnerability. This upgrade will be rolled out over the next few days/weeks.

Additionally, Google has fixed six high-severity security vulnerabilities with this update.

Details Of The Vulnerabilities Addressed

Type Confusion in Spellcheck is a high-severity bug that is being tracked as CVE-2023-6348. Mark Brand from Google Project Zero reported the issue.

Use after free in Mojo is the next high-severity bug, tagged as CVE-2023-6347. 360 Vulnerability Research Institute’s Leecraso and Guang Gong reported the issue, and they were rewarded with a bounty of $31,000.

Use after free in WebAudio is a high-severity issue identified as CVE-2023-6346. Following Huang Xilin of Ant Group Light-Year Security Lab’s disclosure, a $10,000 prize was given out.

A High severity bug in libavif, Out-of-bounds memory access, is tagged as CVE-2023-6350. Fudan University reported it, and $7000 was given out.

Use after free in libavif is a high-severity bug identified as CVE-2023-6351. Fudan University reported it, and $7000 was given out.

Update Now

To stop exploitation, Google highly advises users to update their Chrome web browser right away. The following are the easy procedures that you must follow to update the Chrome web browser:-  

  • Go to the Settings option.
  • Then select About Chrome.
  • Wait, as Chrome will automatically fetch and download the latest update.
  • Once the installation process completes, you have to restart Chrome.
  • That’s it. Now you are done.

Attacking and Exploiting Modern Web Applications: Discover the mindset, techniques, and tools to perform modern web attacks and exploitation

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Chrome zero-day

Jul 22 2022

Candiru surveillance spyware DevilsTongue exploited Chrome Zero-Day to target journalists

Category: Web Security,Zero dayDISC @ 9:13 am
Candiru surveillance spyware DevilsTongue exploited Chrome Zero-Day to target journalists

The spyware developed by Israeli surveillance firm Candiru exploited recently fixed CVE-2022-2294 Chrome zero-day in attacks on journalists.

Researchers from the antivirus firm Avast reported that the DevilsTongue spyware, developed, by Israeli surveillance firm Candiru, was used in attacks against journalists in the Middle East and exploited recently fixed CVE-2022-2294 Chrome zero-day.

The flaw, which was fixed by Google on July 4, 2022, is a heap buffer overflow that resides in the Web Real-Time Communications (WebRTC) component, it is the fourth zero-day patched by Google in 2022.

Most of the attacks uncovered by Avast researchers took place in Lebanon and threat actors used multiple attack chains to target the journalists. Other infections were observed in Turkey, Yemen, and Palestine since March 2022.

In one case the threat actors conducted a watering hole attack by compromising a website used by employees of a news agency.

The researchers noticed that the website contained artifacts associated with the attempts of exploitation for an XSS flaw. The pages contained calls to the Javascript function “alert” along with keywords like “test”, a circumstance that suggests the attackers were testing the XSS vulnerability, before ultimately exploiting it to inject the loader for a malicious Javascript from an attacker-controlled domain (i.e. stylishblock[.]com).

Candiru spyware

This injected code was used to route the victims to the exploit server, through a chain of domains under the control of the attacker.

Once the victim lands on the exploit server, the code developed by Candiru gathers more information the target system, and only if the collected data satisfies the exploit server the exploit is used to deliver the spyware.

“While the exploit was specifically designed for Chrome on Windows, the vulnerability’s potential was much wider. Since the root cause was located in WebRTC, the vulnerability affected not only other Chromium-based browsers (like Microsoft Edge) but also different browsers like Apple’s Safari.” reads the analysis published by Avast. “We do not know if Candiru developed exploits other than the one targeting Chrome on Windows, but it’s possible that they did.”

The zero-day was chained with a sandbox escape exploit, but experts were not able to recover it due to the protection implemented by the malware.

After getting a foothold on the victim’s machine, the DevilsTongue spyware attempts to elevate its privileges by exploiting another zero-day exploit. The malicious software targets a legitimate signed kernel driver in a BYOVD (Bring Your Own Vulnerable Driver) fashion. In order to exploit the the driver, it has to be first dropped to the filesystem (Candiru used the path C:\Windows\System32\drivers\HW.sys), experts pointed out that this could be used as an indicator of compromise. 

“While there is no way for us to know for certain whether or not the WebRTC vulnerability was exploited by other groups as well, it is a possibility. Sometimes zero-days get independently discovered by multiple groups, sometimes someone sells the same vulnerability/exploit to multiple groups, etc. But we have no indication that there is another group exploiting this same zero-day.” concludes the report.

Tags: Candiru surveillance spyware, Chrome zero-day

Feb 15 2022

Google fixes a Chrome zero-day flaw actively exploited in attacks

Category: Zero dayDISC @ 10:10 am
Google fixes a Chrome zero-day flaw actively exploited in attacks

Google fixed a high-severity zero-day flaw, tracked as CVE-2022-0609, actively exploited with the release of Chrome emergency update for Windows, Mac, and Linux. This is the first Chome zero-day fixed this year by Google.

The zero-day is a use after free issue that resides in Animation, the bug was reported by Adam Weidemann and Clément Lecigne of Google’s Threat Analysis Group.

“Use after free in Animation. Reported by Adam Weidemann and Clément Lecigne of Google’s Threat Analysis Group on 2022-02-10 [$TBD][1285449]” reads the security advisory published by Google. “Google is aware of reports that an exploit for 

CVE-2022-0609
 exists in the wild.”

The emergency patches will be rolled out in the next weeks. Users could update their browser manually by visiting the entry Chrome menu > Help > About Google Chrome.

Google did not disclose technical details for the CVE-2022-0609 to avoid massive exploitation of the bug. The IT giant also avoided disclosing info regarding the attack in the wild exploiting the flaw.

“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Google added.

Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon

Tags: Chrome zero-day, Countdown to Zero Day

Mar 04 2021

Another Chrome zero-day exploit – so get that update done!

Category: Web SecurityDISC @ 12:32 am
Another Chrome zero-day exploit – so get that update done!

Almost exactly a month ago, or a couple of days under an average month given that February was the short one, we warned of a zero-day bug in Google’s Chromium browser code.

Patch now, we said.

And we’re saying it again, following Google’s otherwise cheery release of version 89.0.4389.72:

The Chrome team is delighted to announce the promotion of Chrome 89 to the stable channel for Windows, Mac and Linux. This will roll out over the coming days/weeks.

We’ve never quite understood Google’s mention of rolling out updates over “days/weeks” in an update bulletin that includes 47 security fixes, of which eight have a severity level of High.

In fact, we suggest going out manually and making sure you’ve got your Chrome update already, without waiting for those day/weeks to elapse until the update finds you.

If you’re using a Chromium-based product from another browser maker, check with that vendor for information about whether their build is affected by this bug, and if so whether the patch is downloadable yet.

Tags: Chrome zero-day

Feb 05 2021

Chrome zero-day browser bug found

Category: Web Security,Zero dayDISC @ 10:20 am
Chrome zero-day browser bug found – patch now!

Tags: Chrome zero-day