Google Rushes Emergency Fix for Zero-Day Chrome Vulnerability CVE-2024-4761 Under Active Exploitation
Plus, VMware Issues Urgent Fixes for Critical Security Flaws in Workstation and Fusion Products
Chrome Users Urged to Update Immediately as Google Unveils Patch for Critical V8 Engine Flaw
Google has swiftly responded to the discovery of a new zero-day vulnerability, identified as CVE-2024-4761, affecting its Chrome web browser. This high-severity flaw impacts the V8 JavaScript and WebAssembly engine and was anonymously reported on May 9, 2024. The vulnerability, categorized as an out-of-bounds write bug, has already been exploited in the wild, prompting Google to expedite the release of emergency fixes. Out-of-bounds write bugs are notorious for their potential to corrupt data, cause crashes, or enable malicious actors to execute arbitrary code on compromised systems.
Notably, this development follows closely on the heels of Google patching another actively exploited vulnerability, CVE-2024-4671, which involved a use-after-free flaw in the Visuals component. Google's prompt action underscores the ongoing efforts to safeguard users against emerging cyber threats and underscores the critical importance of timely software updates.
Since the beginning of the year, Google has addressed a total of six zero-day vulnerabilities, with three of them showcased at the Pwn2Own hacking contest held in Vancouver in March. These vulnerabilities, including CVE-2024-0519, CVE-2024-2886, CVE-2024-2887, CVE-2024-3159, and CVE-2024-4671, highlight the evolving landscape of cyber threats and the continuous need for vigilance in software security.
To mitigate potential risks associated with CVE-2024-4761, users are strongly advised to update their Chrome browsers to the latest version - specifically, version 124.0.6367.207/.208 for Windows and macOS, and version 124.0.6367.207 for Linux. Additionally, users of other Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi should remain vigilant and apply the necessary patches as soon as they become available.
Newly Disclosed Vulnerabilities in VMware Workstation and Fusion Pose Risk of Code Execution and Data Exposure
The recent disclosure by VMware highlights four security vulnerabilities affecting its Workstation and Fusion products, posing risks of information exposure, denial-of-service (DoS) attacks, and potential code execution under specific conditions. These vulnerabilities, collectively tracked as CVE-2024-22267, CVE-2024-22268, CVE-2024-22269, and CVE-2024-22270, impact Workstation versions 17.x and Fusion versions 13.x. VMware promptly addressed these issues in version 17.5.2 for Workstation and version 13.5.2 for Fusion.
The vulnerabilities span a range of weaknesses, including a use-after-free flaw in the Bluetooth device (CVE-2024-22267), a heap buffer-overflow vulnerability in Shader functionality (CVE-2024-22268), and two information disclosure flaws affecting Bluetooth functionality (CVE-2024-22269) and Host Guest File Sharing (HGFS) functionality (CVE-2024-22270). Exploitation of these vulnerabilities could allow threat actors with varying levels of access privileges to execute arbitrary code, trigger DoS conditions, or access sensitive information stored in hypervisor memory.
Notably, CVE-2024-22267, CVE-2024-22269, and CVE-2024-22270 were initially demonstrated at the Pwn2Own hacking contest in March 2024, underscoring the real-world exploitability of these flaws. As interim measures, VMware recommends users disable Bluetooth support on virtual machines and deactivate the 3D acceleration feature until the patches can be applied. However, there are no equivalent mitigations for CVE-2024-22270, emphasizing the importance of promptly updating affected systems.
This advisory follows VMware's earlier patch release addressing critical security flaws in ESXi, Workstation, and Fusion products, reaffirming the company's commitment to promptly addressing security vulnerabilities to protect its users and their virtual environments.