Google’s popular Chrome browser has been frequently attacked by cybercriminals taking advantage of critical zero-day vulnerabilities that seem sometimes slow to be repaired in 2024. The attackers are actively exploiting these flaws to pull off malicious hacking attacks before they can be patched.
The latest is a nasty out-of-bounds write bug found in Chrome’s core JavaScript engine, labeled CVE-2024-4761. This high-risk flaw could allow the bad guys to corrupt your browser’s memory, make it crash, or potentially even run malware on your computer.
Google rushed out an urgent update urging everybody to upgrade to the latest Chrome version 124.0.6367.207 right away, for Windows, Mac, and Linux. If you are a Chrome user, Don’t skip this important patch!
But get this – this new zero-day came hot on the heels of another mega vulnerability (CVE-2024-4671) fixed just days earlier. That was a use-after-free issue that hackers were also actively unleashing on unsuspecting Chrome users out there.
In fact, as many as six zero-day exploits have been uncovered in Chrome in 2024 so far. Three of them were even demonstrated live at that famous Pwn2Own hacking contest back in March, showing just how skilled these attacker groups have become.
All these attacks are definitely ringing alarm bells about Chrome’s security weaknesses this year. It’s clearly an endless “cat-and-mouse” game against “bad guy” groups always finding new vulnerabilities to exploit.
These high-impact Chrome exploitation incidents just keep on coming with no letup in sight. Staying vigilant and promptly installing security updates is crucial to stay one step ahead of the “digital bad guys.”
What Exactly Is an Out-of-Bounds Write Bug?
An out-of-bounds write is a particularly problematic type of security hole in software programs. Basically, it happens when some code writes data outside the intended boundaries of a memory buffer area.
When an app needs to temporarily store information, it allocates a chunk of memory called a buffer to hold that data. But sloppy coding flaws can cause it to accidentally overwrite memory areas beyond that buffer’s limits.
This can corrupt important data, make the program crash hard, or potentially open the door for clever hackers to inject and execute malicious code on your system. Not a situation you want to find yourself in!
Out-of-bounds write bugs fall under the broader category of memory corruption vulnerabilities caused by incorrect handling of operations within memory buffers. The consequences range from denial-of-service to total system compromise in worst cases.
Careful programming practices, input validation checks, and using secure coding languages/libraries are crucial for preventing these types of flaws that attackers actively try to exploit.
Google’s Other Zero-Day: CVE-2024-4671
Just last week on May 10th, Google had to ship another urgent fix for a different “zero-day” vulnerability actively being used by hackers to target Chrome users.
This high-severity bug, tracked as CVE-2024-4671, was a “use-after-free” memory corruption flaw found in Chrome’s Visuals component.
A “use-after-free” condition happens when a program tries accessing memory space that’s already been freed up and de-allocated. This can potentially allow malware execution, program crashes, and all sorts of chaos — none of it is good.
Google stayed quiet on the specifics of how exactly this flaw was being exploited and by which attacker groups. But they did confirm “an exploit for CVE-2024-4671 exists in the wild”, meaning it was an active threat.
This was the second zero-day hole that Chrome users had to urgently patch in 2024, after an earlier memory corruption vulnerability back in January. The sheer frequency of these high-impact incidents underscores the constant battle against well-resourced cybercrime gangs.
Jeff.pro suggests FOSS Browser Alternatives in Linux asecure alternatives to “big tech” software like Google Chrome running on Windows
If you’re feeling a bit spooked by all these unrelenting Chrome zero-day incidents, it might be time to explore some free and open source software (FOSS) browser alternatives from the community. Recent findings suggest they could offer a more proactive, secure experience compared to the “big tech” options.
One FOSS browser that is a favorite of the “Privacy Guides” authors (who Jeff.pro has featured several times) is Mullvad Browser.
As they note, it is “a version of Tor Browser with Tor network integrations removed, aimed at providing Tor Browser’s anti-fingerprinting browser technologies to VPN users.” [1] Used in conjunction with a VPN, Mullvad Browser can thwart advanced tracking scripts by making your fingerprint identical to other users.
Importantly, Mullvad Browser does not use the Chromium browser engine like Google Chrome does. This engine, which also powers other popular browsers like Microsoft Edge, was the core component affected by the recent high-severity CVE-2024-4761 vulnerability. [2]
By using a different engine descended from Firefox instead of Chromium, Mullvad Browser avoids inheriting flaws like this zero-day from the get-go.
Incredibly, Linux developers fix bugs faster than “big tech” engineers!
Surprisingly, a study by Google’s own “elite” security research team, “Project Zero,” open-source developers are actually the fastest at patching critical vulnerabilities across the board. Their analysis found that Linux distributors fix security holes in just 25 days on average – way quicker than tech giants like Apple (69 days), Google itself (44 days), and Microsoft trailing far behind at 83 days.
The researchers noted Linux’s patch timeframes have been improving rapidly too, plummeting from 32 days in 2019 down to a blazing 15 days in 2021. That’s some seriously impressive turnaround!
So what makes the FOSS community so adept at fixing bugs? Project Zero theorizes it’s because open and transparent collaboration has become the industry norm. Companies are learning best practices from each other and prioritizing security robustness.
The Open Source, Transparent nature of Linux wins again against “big-tech”!
This proven faster reaction time to security vulnerabilities within the Linux community aligns with the open-source philosophy of transparent, community-driven development. With more eyeballs scrutinizing the code, flaws get identified and fixed at breakneck speed before exploitation. That communal software auditing is a major strength.
For browser security specifically, Mozilla’s open-source Firefox fared reasonably well in the study, patching its 8 vulnerabilities within 38 days on average, solidly ahead of closed-source rivals like Apple’s WebKit engine which lagged at 72 days.
Of course, there are other fantastic FOSS browser projects beyond just Firefox and Mullvad Browser that leverage this community patch velocity advantage. Some rising stars include the Google Chromium-based Brave and secure by design Tor Browser.
Try an Open Source Web Browser Alternative – Free as in Freedom!
With so many intelligent brains collectively maintaining and hardening these open codebases, you could argue FOSS browsers provide a more transparent, proactive security posture compared to opaque “black boxes” from big corporations.
So if Chrome’s onslaught of zero-days has you rethinking your browsing software, don’t sleep on the freedom and safety potential of open-source browser alternatives like Mullvad Browser! Their superior software development teams might just give you peace of mind.
References:
1. https://www.privacyguides.org/en/desktop-browsers/
2. https://mullvad.net/en/browser/things-to-look-for-when-choosing-a-browser
