Advisory ID: ngCERT-2024-0004
Summary:
Security researchers discovered three high-severity vulnerabilities in the Google Chrome browser (CVE-2024-1060, CVE-2024-1059, and CVE-2024-1077). According to reports, the vulnerabilities might allow threat actors to remotely exploit Chrome, potentially executing arbitrary code, stealing sensitive user data, or causing system crashes. Meanwhile, Google has released new security updates to address many vulnerabilities in its Chrome browser. Nonetheless, users must take proper actions to mitigate dangers.
Damage/Probability: CRTICAL/HIGH
Description:
The high severity vulnerabilities have been classified as Use-After-Free (UAF), which is a vulnerability scenario resulting from inefficient memory management while developing software applications. For instance, If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to hack the program. The UAF flaws were identified as (CVE-2024-1060, CVE-2024-1059 and CVE-2024-1077) respectively, found in the Canvas component, WebRTC component and Network component of Google Chrome. These flaws can allow an attacker to exploit heap corruption via a specially crafted HTML page, exploit stack corruption via a crafted HTML page and facilitate the remote exploitation of heap corruption via a malicious file. The affected systems are Chrome prior to 121.0.6167.139/140 for Windows and Chrome prior to 121.0.6167.139 for Mac and Linux.
Consequences: Successful exploitation of these vulnerabilities could allow for the following:
- Arbitrary code execution in the context of the logged-on user.
- Depending on the privileges associated with the user, an attacker could install malicious programs.
- Attacker could view, change, or delete data.
- Attacker could also create new accounts with full user rights.
Solution:
The aforementioned vulnerabilities have been patched by security update released by Google. Nonetheless, all users are encouraged to:
- Install the most recent updates for their systems, software, and gadgets.
- Remove saved login information or passwords, clear your browser's history.
- Remove cookies from your browser since they can provide hackers access to email services without a user's credentials.
- Refrain from clicking on dubious links that can corrupt your computer.
References: