Details of the use-after-free memory vulnerability were not publicly released, but Google says it’s aware an exploit for the bug exists. Credit: Growtika / Unsplash Google released a Chrome stable update Thursday to patch a high-risk severity vulnerability that was being exploited in the wild, the second zero-day to be patched in Chrome this year. The vulnerability, tracked as CVE-2024-4671, is described as a use-after-free memory bug in the browser’s Visual component. Details about the vulnerability are still restricted to public view, but the company said it is aware that an exploit for the flaw exists in the wild. The Chrome developers credited an anonymous third party with reporting the security issue on May 7. The vulnerability was patched two days later with the release of Chrome version 124.0.6367.201/.202 for Mac and Windows and version 124.0.6367.201 for Linux. A previous zero-day vulnerability was found in January Back in January, Chrome fixed another zero-day vulnerability located in the browser’s V8 JavaScript engine. That vulnerability was tracked as CVE-2024-0519 and was described as an out-of-bounds memory access. On their own, Chrome vulnerabilities are rarely critical because of the browser’s strong sandboxing and various anti-exploit mechanisms. Achieving remote code execution through Chrome usually requires an exploit chain that combines multiple vulnerabilities together. Such exploit chains are very expensive to develop. Exploit acquisition company Zerodium offers up to $500,000 for a Chrome remote code execution with local privilege escalation exploit. This means the developers or users of such exploits are typically well-funded threat actors such as nation-states or, as Google points out, commercial surveillance software vendors. Spyware vendors are responsible for most exploits In a March report, researchers from Google’s Threat Analysis Group (TAG) and Mandiant, a Google subsidiary, counted 97 zero-day exploits being used in attacks during 2023. Commercial surveillance vendors that sell spyware to government customers were responsible for over 60% of the 37 exploits impacting browsers and mobile devices, as well as for 13 of the 37 zero-day vulnerabilities that specifically impacted Google products: Chrome and Android. It’s worth noting that none of the eight zero-day vulnerabilities that impacted Google Chrome in 2023 were caused by use-after-free memory safety bugs. That’s mainly thanks to a new exploit mitigation technology called MiraclePtr that Google built into the browser in 2023. By comparison, half of the exploitable vulnerabilities in Chrome found in 2022 were user-after-free ones. Related content news Kroll cyber threat landscape report: AI assists attackers AI is simplifying all sorts of tasks — and not always for the better: cybercriminals, too, are adopting it. By Lynn Greiner May 24, 2024 4 mins Threat and Vulnerability Management Cybercrime Vulnerabilities news analysis Windows Recall — a ‘privacy nightmare’? The Windows AI feature announced by Microsoft this week quickly drew criticism for recording regular screenshots of a user’s screen; one security expert compared it to keylogging software. By Matthew Finnegan May 24, 2024 1 min Privacy feature What is spear phishing? Examples, tactics, and techniques Spear phishing is a targeted email attack purporting to be from a trusted sender. Learn how to recognize—and defeat—this type of phishing attack. By Josh Fruhlinger May 24, 2024 14 mins Phishing Cyberattacks Fraud news analysis Emerging ransomware groups on the rise: Who they are, how they operate New and developing ransomware gangs move to fill the void left by the shutdown and law enforcement disruption of big players, with differing tactics and targets. By Lucian Constantin May 24, 2024 6 mins Ransomware Cybercrime PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe