Google has patched a high-severity zero-day bug in its Chrome Web browser that attackers are actively exploiting.
The vulnerability, assigned as CVE-2024-0519, is the first Chrome zero-day bug that Google has disclosed in 2024, and the second in the browser in less than a calendar month.
In 2023, Google disclosed a total of eight zero-day vulnerabilities in Chrome, which is by far the most widely used browser currently.
CVE-2024-0519: A Memory Corruption Security Bug CVE-2024-0519 concerns what Google described as an out-of-bounds memory access issue in Chrome's V8 JavaScript engine.
Google said an anonymous security researcher had reported the vulnerability to the company on Jan. 11.
As is typical for Google with zero-day vulnerabilities, the company's bug disclosure did not offer any details on the flaw beyond noting that an exploit for CVE-2024-0519 exists in the wild.
The vulnerability is one of three flaws that Google patched this week.
The others are CVE-2024-0517, which is an out-of-bounds write issue in V8, and CVE-2024-0518, a type confusion flaw in V8. A Flurry of Zero-Days for Chrome CVE-2024-0519 adds to a growing list of zero-day bugs that researchers and attackers have discovered in Chrome in recent years.
The eight Chrome zero-days that Google disclosed in 2023 were actually less than the nine it disclosed in 2022 and the troubling 15 from 2021.
Between January 2019 and January 2024, Google has disclosed a total of 43 zero-day bugs in Chrome, many of which have also affected browsers based on Chromium technology, such as Microsoft Edge.
Seventeen of the zero-days - including the one that Google patched this week - affect the V8 JavaScript engine for the Chrome browser.
Publicly released vulnerability data shows that Chrome is one of the most widely targeted technologies among attackers in recent years.
Security analysts have pointed to Chrome's large customer base - it accounts for nearly 65% of browser market share worldwide - as one reason for the growing interest in the technology from both attackers and bug hunters.
Another factor is the almost ubiquitous use of browsers for accessing applications, websites, documents, PDFs, and other content online.
With browsers beginning to replace conventional client technologies, attackers have increasingly begun targeting them instead. Growing Cyberattacker Interest in Browser Technology While Chrome has been a favorite target, other browser technologies have not escaped researcher or attacker interest.
Apple has disclosed a total of 21 zero-day bugs in its WebKit browser engine since 2021 - 11 of them just last year.
Recently, both Apple and Google have warned of attackers seeking to exploit browser vulnerabilities for spying purposes.
Last September when Google disclosed a zero-day bug in a Chrome software library, the company warned of a commercial vendor exploiting the flaw to drop the Predator spyware tool on affected Android devices.
Concerns over browser attacks appear to be pushing organizations to implement measures for securing browser use.
Forty-seven percent had deployed controls for forced browser updates in their environment, 41% removed suspicious extensions, and 78% restricted non-corporate browser profiles.
This Cyber News was published on www.darkreading.com. Publication date: Wed, 17 Jan 2024 21:20:17 +0000