In recent cybersecurity news, Google has swiftly addressed a critical security concern by releasing an emergency update for its Chrome browser. This update targets the third zero-day vulnerability detected in less than a week. Let’s have a look at the details of this Google Chrome zero-day patch and understand its implications for user safety.   […]

The post Alert: Google Chrome Zero-Day Patch Fixes Critical Flaw appeared first on TuxCare.

The post Alert: Google Chrome Zero-Day Patch Fixes Critical Flaw appeared first on Security Boulevard.

Google released a new Chrome update on Thursday to fix the fourth zero-day vulnerability in two weeks and eighth overall in 2024. "Google is aware that an exploit for CVE-2024-5274 exists in the wild," the company said in an advisory. Google did not provide details on the bug or the exploitation but credited Clement Lecigne of Google’s Threat Analysis Group (TAG) and Brendon Tiszka of Chrome Security for reporting the flaw. There is no knowledge of any bug bounty reward for this discovery. "Successful exploitation of this vulnerability could allow for arbitrary code execution in the context of the logged on user," the Center for Internet Security explained. Depending on the privileges associated with the logged on user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have less rights on the system could be less impacted than those who operate with administrative user rights." Chrome vulnerabilities are often targeted by commercial spyware vendors. Google TAG researchers have previously reported several zero-days exploited by spyware vendors, including security defects in Google’s browser. CVE-2024-5274 is the fourth zero-day patched in the last 15 days, following CVE-2024-4671 (use-after-free in Visuals), CVE-2024-4761 (out-of-bounds write in V8), and CVE-2024-4947 (type confusion in V8). So far this year, Google has resolved a total of eight Chrome zero-days. Three of these, CVE-2024-2886, CVE-2024-2887, and CVE-2024-3159, were demonstrated at the Pwn2Own Vancouver 2024 hacking contest in March. Complete list of zero-days published in 2024:

• CVE-2024-0519: Out-of-bounds memory access in V8
• CVE-2024-2886: Use-after-free in WebCodecs (presented at Pwn2Own 2024)
• CVE-2024-2887: Type confusion in WebAssembly (presented at Pwn2Own 2024)
• CVE-2024-3159: Out-of-bounds memory access in V8 (presented at Pwn2Own 2024)
• CVE-2024-4671 - Use-after-free in Visuals
• CVE-2024-4761 - Out-of-bounds write in V8
• CVE-2024-4947 - Type confusion in V8

The latest Chrome version has now been rolled out as 125.0.6422.112 for Linux and 125.0.6422.112/.113 for Windows and macOS. Google also released Chrome for Android versions 125.0.6422.112/.113 with the same security fixes.

Opera Rolled-Out Update to Fix Chrome Zero-Day

The current version of Opera browser is based on Chromium, the same engine that Google Chrome uses. Opera released a subsequent patch on Friday to fix the same bug.

Dear Opera Users! The latest stable release of Opera – 110.0.5130.39, incorporates a crucial 0-day fix for CVE-2024-5274, enhancing user security. This update ensures safer browsing for everyone.

Opera is available on Windows, macOS, Linux, Android and iOS. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Microsoft today released updates to fix more than 60 security holes in Windows computers and supported software, including two “zero-day” vulnerabilities in Windows that are already being exploited in active attacks. There are also important security patches available for macOS and Adobe users, and for the Chrome Web browser, which just patched its own zero-day flaw.

First, the zero-days. CVE-2024-30051 is an “elevation of privilege” bug in a core Windows library. Satnam Narang at Tenable said this flaw is being used as part of post-compromise activity to elevate privileges as a local attacker.

“CVE-2024-30051 is used to gain initial access into a target environment and requires the use of social engineering tactics via email, social media or instant messaging to convince a target to open a specially crafted document file,” Narang said. “Once exploited, the attacker can bypass OLE mitigations in Microsoft 365 and Microsoft Office, which are security features designed to protect end users from malicious files.”

Kaspersky Lab, one of two companies credited with reporting exploitation of CVE-2024-30051 to Microsoft, has published a fascinating writeup on how they discovered the exploit in a file shared with Virustotal.com.

Kaspersky said it has since seen the exploit used together with QakBot and other malware. Emerging in 2007 as a banking trojan, QakBot (a.k.a. Qbot and Pinkslipbot) has morphed into an advanced malware strain now used by multiple cybercriminal groups to prepare newly compromised networks for ransomware infestations.

CVE-2024-30040 is a security feature bypass in MSHTML, a component that is deeply tied to the default Web browser on Windows systems. Microsoft’s advisory on this flaw is fairly sparse, but Kevin Breen from Immersive Labs said this vulnerability also affects Office 365 and Microsoft Office applications.

“Very little information is provided and the short description is painfully obtuse,” Breen said of Microsoft’s advisory on CVE-2024-30040.

The only vulnerability fixed this month that earned Microsoft’s most-dire “critical” rating is CVE-2024-30044, a flaw in Sharepoint that Microsoft said is likely to be exploited. Tenable’s Narang notes that exploitation of this bug requires an attacker to be authenticated to a vulnerable SharePoint Server with Site Owner permissions (or higher) first and to take additional steps in order to exploit this flaw, which makes this flaw less likely to be widely exploited as most attackers follow the path of least resistance.

Five days ago, Google released a security update for Chrome that fixes a zero-day in the popular browser. Chrome usually auto-downloads any available updates, but it still may require a complete restart of the browser to install them. If you use Chrome and see a “Relaunch to update” message in the upper right corner of the browser, it’s time to restart.

Apple has just shipped macOS Sonoma 14.5 update, which includes nearly two dozen security patches. To ensure your Mac is up-to-date, go to System Settings, General tab, then Software Update and follow any prompts.

Finally, Adobe has critical security patches available for a range of products, including Acrobat, Reader, Illustrator, Adobe Substance 3D Painter, Adobe Aero, Adobe Animate and Adobe Framemaker.

Regardless of whether you use a Mac or Windows system (or something else), it’s always a good idea to backup your data and or system before applying any security updates. For a closer look at the individual fixes released by Microsoft today, check out the complete list over at the SANS Internet Storm Center. Anyone in charge of maintaining Windows systems in an enterprise environment should keep an eye on askwoody.com, which usually has the scoop on any wonky Windows patches.

Update, May 15, 8:28 a.m.: Corrected misattribution of CVE-2024-30051.

Despite competitive pressures from industry behemoths like Microsoft and Google, investors are still betting big on startups in the specialized enterprise browser space.

The post Island Secures $175M Investment as Enterprise Browser Startups Defy Tech Giants appeared first on SecurityWeek.