Google issued a Windows and Mac patch for a critical Chrome bug, and will roll out a Linux patch in the coming days and weeks.
In an April 24 blog post, Google said the flaw — CVE-2024-4058 — was a type confusion in ANGLE, Google Chrome's graphics layer engine. The large tech vendor made no mention as to whether the flaw was exploited in the wild, but past reporting by SC Media indicates that threat actors do exploit type confusions in Google Chrome.
A type confusion — also known as type manipulation — operates as an attack vector that can occur in interpreted languages such as JavaScript and PHP that use dynamic typing. In dynamic typing, the type of a variable gets identified and updated at runtime instead of at compile-time in a statically typed programming language.
Given that Google assigned a "critical" rating to this flaw, there’s a high potential that attackers could launch arbitrary code execution or sandbox escapes in an automated fashion and with little or no user interaction.
Google credited two members of Qrious Secure — Toan (suto) Pham and Bao (zx) Pham — for reporting the critical flaw on April 2, awarding a $16,000 bug bounty for their findings.
Sarah Jones, cyber threat intelligence research analyst at Critical Start, said earning a "critical" rating signifies its potential for severe consequences. Jones said attackers could exploit this flaw remotely, meaning they wouldn't need for users to click on suspicious links or download files for them to gain access.
“This makes it particularly concerning,” said Jones. “While the technical specifics are being kept under wraps for now, a critical vulnerability like this could potentially let attackers run malicious code on a computer or bypass security features altogether. This could put user data at risk of theft, open the door for malware installation, or even damage individual user systems.”
John Bambenek, president at Bambenek Consulting, added that browser vulnerabilities that can exploit victims without interaction (aside of getting them to an exploit page) are the most severe types of browser issues.
In recent years, Bambenek said much work has been done to make browsers more secure.
“Therefore, the frequency of these issues has gone down, however, users should update their Chrome installations immediately,” said Bambenek. “It usually takes approximately 12-24 hours for threat actors to craft an attack by reverse engineering the patch, so if exploitation isn’t happening in the wild already, it will be tomorrow.”
