New Chrome zero-day actively exploited, patch quickly! (CVE-2024-7971)
A new Chrome zero-day vulnerability (CVE-2024-7971) exploited by attackers in the wild has been fixed by Google.
About CVE-2024-7971
CVE-2024-7971 is a high-severity vulnerability caused by a type confusion weakness in V8, the open-source JavaScript and WebAssembly engine developed by Google for the Chromium and Google Chrome web browsers.
“In languages without memory safety, such as C and C++, type confusion can lead to out-of-bounds memory access,” Mitre explains the problem. (V8 is written in C++.)
As per usual, Google did not provide access to bug details and links – it’s holding off until most users are updated with a fix. The vulnerability’s NVD entry says that the flaw “allowed a remote attacker to exploit heap corruption via a crafted HTML page.”
The vulnerability has been reported by Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC), presumably after discovering the attacks.
Fixing CVE-2024-7971
Google has fixed CVE-2024-7971 and delivered 37 additional security fixes in Chrome v128.0.6613.84/.85 (for Windows and Mac) and v128.0.6613.84 (Linux).
Users are advised to upgrade their Chrome installation if they don’t have the automatic updating option switched on.
Fixes for security holes in V8 are usually propagated to Microsoft’s Edge browser quickly, as the browser uses the Blink and V8 engines developed by the Chromium team. “We are actively working on releasing a security fix,” the company stated on Wednesday.
Other Chromium-based browsers – e.g., Brave, Opera, and Vivaldi – should implement the fixes soon.
Looking for 0-days in V8
CVE-2024-7971 is the ninth actively exploited Chrome zero-day – and the third type confusion bug in the V8 engine – fixed this year.
In late 2023, Google has called on bug hunters to probe its V8 engine for zero-day flaws and report them, as well as exploit writers to try and exploit n-day and 0-day vulnerabilities. Rewards for both zero-days and exploits have been offered.
Unfortunately, attackers are looking for zero-days, as well.
UPDATE (August 27, 2024, 07:15 a.m. ET):
As confirmed by Google on Monday, among the fixes in these updates is one for CVE-2024-7965, an inappropriate implementation in V8 that has also been exploited in the wild as a zero-day. (In the wild exploitation of CVE-2024-7965 was reported after the release of the updates.)
UPDATE (August 31, 2024, 02:10 a.m. ET):
“On August 19, 2024, Microsoft identified a North Korean threat actor exploiting a zero-day vulnerability in Chromium, now identified as CVE-2024-7971, to gain remote code execution (RCE). We assess with high confidence that the observed exploitation of CVE-2024-7971 can be attributed to a North Korean threat actor targeting the cryptocurrency sector for financial gain,” Microsoft researchers say.
“Our ongoing analysis and observed infrastructure lead us to attribute this activity with medium confidence to Citrine Sleet. We note that while the FudModule rootkit deployed has also been attributed to Diamond Sleet, another North Korean threat actor, Microsoft previously identified shared infrastructure and tools between Diamond Sleet and Citrine Sleet, and our analysis indicates this might be shared use of the FudModule malware between these threat actors.”