New US government warning as attacks confirmed
Here we are again. For the second time in three months, the US government has warned that the world’s most popular browser is known to be under attack. Federal employees have just 21 days to update their browsers or stop using them altogether. Given Chrome’s two billion desktop users, this is a big deal and should really apply to all users. There’s also a new, nasty stinger on the tail that just came out.
According to the US Cybersecurity Agency, CVE-2024-7971 “Contains a type confusion vulnerability that allows a remote attacker to exploit heap corruption via a crafted HTML page.” This means that an attacker can cause a logical memory error to destabilize a system, opening the door to an attack. As always, don’t think of these vulnerabilities in isolation, think of them as being used in conjunction with others.
While Chrome will make headlines since it dominates the desktop market with more than 2 billion users, CISA also advises that the Chromium vulnerability “could affect many web browsers, including ‘Google Chrome, Microsoft Edge and Opera.’ If you are using each Chromium browser, the warning applies to you.
CISA took longer to add this known exploit KEB catalog than expected. It’s been almost a week since Google warned that “exploits for CVE-2024-7971 exist in the wild,” updating the stable desktop channel to 128.0.6613.84/.85 for Windows and Mac. I expected it to be added sooner.
If you needed another reason to update right now, look no further than the unpleasant surprise that was suddenly added to last week’s advisory. Google updated the alert on August 26 “to reflect its wild exploitation CVE-2024-7965 which was reported after this release.’ This second exploited vulnerability is listed as “improper implementation in V8”, meaning there is a possibility for an attack to gain out-of-bounds (unexpected) memory access, again with a maliciously crafted web page.
At the time of writing, CISA has only added the first vulnerability to its list — but it’s pretty certain that the second will follow soon. It is now mandatory for all federal employees to “apply mitigations per vendor guide or discontinue use of product if no countermeasures are available.” which means update or stop using. And the expiration date is the usual 21 days from. release, which is on September 16.
This has been a busy month for such warnings, with several Windows zero days and an Android zero day all coming within a few weeks. And while the official CISA mandate applies only to federal government employees, many other organizations are following—and should all—follow the same guidance. As CISA says itself, the purpose of the list and these deadlines is “to help every organization better manage vulnerabilities and keep up with threat activity.”
All of these Chrome zero days successfully exploit various types of memory vulnerabilities, but the good news is that Google is working on a broader set of defenses to stop this from happening quite often.
Updating your browser to the latest stable version will fix both zero-days and many other bugs, several of which are of high severity, even if they haven’t been exploited in the wild yet – as far as we know. The update should download automatically but restart your browser once this is done to make sure it installs.
With two zero days in this latest update—and with the potential for more to come, you’ll need to follow CISA’s schedule whether you’re an employee or a home user. We don’t yet know the extent of the ongoing attacks, but these types of exploits have a habit of spreading more widely, especially in the time between release and application of updates.
