Google Chrome Zero-Day Bug Under Attack, Allows Code Injection

The first Chrome zero-day bug of 2024 adds to a growing list of actively exploited vulnerabilities found in Chromium and other browser technologies.

Google has patched a high-severity zero-day bug in its Chrome Web browser that attackers are actively exploiting. It paves the way for code execution and other cyberattacks on targeted endpoints.
The vulnerability, assigned as
CVE-2024-0519
, is the first Chrome zero-day bug that Google has disclosed in 2024, and the second in the browser in less than a calendar month. In 2023, Google disclosed a total of eight zero-day vulnerabilities in Chrome, which is by far the most widely used browser currently.
CVE-2024-0519 concerns what Google described as an out-of-bounds memory access issue in Chromes V8 JavaScript engine. Such vulnerabilities arise when a software program
attempts to access memory locations
outside its allocated boundaries.
Attackers can leverage these vulnerabilities to access sensitive information in adjacent memory locations on an affected system, cause it to crash, modify data, or inject malicious code, according to researchers from Vulnera.
Besides unauthorized memory access, CVE-2024-0519 could also be exploited to circumvent protection mechanisms such as ASLR, making it easier to execute code via another vulnerability,
according to a Vulnera blog post
.
Google said an anonymous security researcher had reported the vulnerability to the company on Jan. 11. As is typical for Google with zero-day vulnerabilities, the
companys bug disclosure
did not offer any details on the flaw beyond noting that an exploit for CVE-2024-0519 exists in the wild. The vulnerability is one of three flaws that Google patched this week. The others are
CVE-2024-0517
, which is an out-of-bounds write issue in V8, and
CVE-2024-0518
, a type confusion flaw in V8.
CVE-2024-0519 adds to a growing list of zero-day bugs that researchers and attackers have discovered in Chrome in recent years. However, the
eight Chrome zero-days
that Google disclosed in 2023 were actually less than the nine it disclosed in 2022 and the troubling 15 from 2021.
Data in Googles
0day In the Wild
spreadsheet shows that from 2014, when Googles Project Zero bug-hunting team first began tracking actively exploited zero-days, to the end of 2018, there were no publicly disclosed Chrome zero-days. Since then, between January 2019 and January 2024, Google has disclosed a total of 43 zero-day bugs in Chrome, many of which have also affected browsers based on Chromium technology, such as Microsoft Edge.
Seventeen of the zero-days — including the one that Google patched this week — affect the V8 JavaScript engine for the Chrome browser. Almost all of them were similar memory corruption issues that enabled a wide range of malicious activity.
Publicly released vulnerability data shows that Chrome is one of the most widely targeted technologies among attackers in recent years. Security analysts have pointed to Chromes large customer base — it accounts for nearly
65% of browser market share worldwide
— as one reason for the growing interest in the technology from both attackers and bug hunters. Another factor is the
almost ubiquitous use of browsers
for accessing applications, websites, documents, PDFs, and other content online. With browsers beginning to replace conventional client technologies, attackers have increasingly begun targeting them instead.
While Chrome has been a favorite target, other browser technologies have not escaped researcher or attacker interest. Apple, for instance, has disclosed a total of 21 zero-day bugs in its WebKit browser engine since 2021 — 11 of them just last year.
Recently, both Apple and Google have warned of attackers seeking to exploit browser vulnerabilities for spying purposes. Last September, for instance, when Google disclosed a zero-day bug (
CVE-2023-5217
) in a Chrome software library, the company warned of a commercial vendor exploiting the flaw to drop the
Predator spyware tool
on affected Android devices.
Concerns over browser attacks appear to be pushing organizations to implement measures for securing browser use. In
a survey of 150 CISOs that LayerX conducted
last year, 87% of organizations in all-SaaS environments reported at least one browser-borne attack in the prior 12 months. Forty-seven percent had deployed controls for forced browser updates in their environment, 41% removed suspicious extensions, and 78% restricted non-corporate browser profiles.

Last News
▸ LinkedIn and Evernote implement 2FA. ◂ Discovered: 26/12/2024 Category: security	▸ From detection to automated action, ensuring safe movement. ◂ Discovered: 26/12/2024 Category: security	▸ Do businesses infect their website visitors intentionally? ◂ Discovered: 26/12/2024 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Google Chrome Zero-Day Bug Under Attack, Allows Code Injection