If you are one among the billion-plus users of Google Chrome on Windows, you have just been warned to update your browser now…
Serious warning for 1 billion Chrome users
Google Chrome dominated within the desktop browser market, meaning it’s the usual for over a billion Windows users. Google’s latest Chrome security update was reasonably muted. Yes, there have been a handful of patches in the combo – although nothing too exciting. The more interesting news was the default Windows Hello login. However, normality has now been restored and a more urgent update warning has just been issued. So the same old advice applies: update Chrome as soon as possible.
Stable channel 123.0.6312.86/.87 incorporates a critical security fix for CVE-2024-2883 and there are also three high-risk fixes. As Google explains: “Critical severity issues allow an attacker to execute arbitrary code on the underlying platform with the user’s privileges during the normal course of browsing.”
In short, that is a difficulty where a maliciously crafted website could exploit a memory vulnerability in your PC, potentially giving access to an attacker.
Google doesn’t release detailed details about such security issues until it gives users time to update their browsers. As soon because it becomes public, the clock starts ticking and the danger of exploitation increases. But Google “aims to roll out the patch to all Chrome users in less than 30 days” if it is important, which illustrates the urgency here.
The variety of vulnerability observed here is known as “use after free”. This signifies that the pointer to a memory location on the device just isn’t deleted once that memory is freed. This pointer to the now free memory might be exploited by an attacker as a part of an attack chain. There continues to be no indication that this current vulnerability has been exploited. Two of the three patched high-risk vulnerabilities are also UAF.
As Kaspersky explains: “Because dynamic memory is constantly being reallocated, programs must constantly check which sections of the heap are free and which are occupied.” Headers help here by pointing to allocated memory areas. Each header incorporates the beginning address of the corresponding block. UAF bugs arise when programs don’t properly manage these headers.”
When this happens: “When the program then allocates the same block of memory to another object (e.g. data entered by an attacker), the dangling pointer now points to this new record.” In other words, UAF vulnerabilities enable code substitution “, which suggests tricking the device into executing malicious code.
You should set Chrome to update robotically, but as with all apps and platforms, if there is a critical patch, it’s price checking that the update has been downloaded and installed. If not, you must do that manually as soon because it becomes available.
You have been warned…
