Thursday September 19, 2024

Multiple Vulnerabilities Discovered in Mozilla Products and Google Chrome Browser

Advisory ID: ngCERT-2024-0009

Summary: 

Several critical zero-day and high severity vulnerabilities have been reported in Mozilla products including the Google Chrome browser. Attackers could leverage these vulnerabilities to run arbitrary code, circumvent security measures, or cause crashes on vulnerable systems. Nonetheless, Mozilla and Google have issued security updates to address the discovered vulnerabilities. As a result, users are advised to upgrade their products to the latest versions as recommended.

Damage/Probability: HIGH/HIGH

Platform(s): 

The Mozilla products critical zero-day vulnerabilities are identified as Out-of-bounds memory access vulnerability (CVE-2024-29943) and Privileged JavaScript Execution vulnerability (CVE-2024-29944). The out-of-bounds memory access vulnerability exists in the JavaScript engine and can be exploited by attackers to corrupt memory and potentially execute arbitrary code, while the privileged JavaScript execution vulnerability exists in the management of event handlers that allows attackers to inject malicious code into privileged objects. This vulnerability can be exploited to gain complete control over the browser process. Furthermore, in google chrome the critical vulnerabilities identified are known as the Use-After-Free (UAF) and a type confusion vulnerability. Attackers could exploit Use-After-Free (UAF) vulnerabilities to perform malicious operations such as arbitrary reading, writing back, and code execution. Also, once an attacker obtains process information, it will be easier to bypass system security defense tools. These vulnerabilities could allow a remote attacker to potentially exploit heap corruption via a crafted HTML page to execute arbitrary code. Other high severity vulnerabilities in the Mozilla products includes, CVE-2024-2615, CVE-2024-2605, CVE-2024-2606, CVE-2024-2607, CVE-2024-2608, CVE-2024-2614, CVE-2024-0743, and CVE-2024-2616.

Consequences: 

Exploitation of the aforementioned vulnerabilities could lead to:

  • Unauthorised access.
  • System compromise
  • Data breach and exfiltration.
  • Damage to reputation.
  • Denial of Service (DoS)

Solution: 

Exploitation of the aforementioned vulnerabilities could lead to:

  • Unauthorised access.
  • System compromise
  • Data breach and exfiltration.
  • Damage to reputation.
  • Denial of Service (DoS)

References: