Google Chrome Zero-Day Bug Under Attack, Allows Code Injection

Google has patched a high-severity zero-day bug in its Chrome Web browser that attackers are actively exploiting. It paves the way for code execution and other cyberattacks on targeted endpoints.

The vulnerability, assigned as CVE-2024-0519, is the first Chrome zero-day bug that Google has disclosed in 2024, and the second in the browser in less than a calendar month. In 2023, Google disclosed a total of eight zero-day vulnerabilities in Chrome, which is by far the most widely used browser currently.

CVE-2024-0519: A Memory Corruption Security Bug

CVE-2024-0519 concerns what Google described as an out-of-bounds memory access issue in Chrome's V8 JavaScript engine. Such vulnerabilities arise when a software program attempts to access memory locations outside its allocated boundaries.

Attackers can leverage these vulnerabilities to access sensitive information in adjacent memory locations on an affected system, cause it to crash, modify data, or inject malicious code, according to researchers from Vulnera.

"Besides unauthorized memory access, CVE-2024-0519 could also be exploited to circumvent protection mechanisms such as ASLR, making it easier to execute code via another vulnerability," according to a Vulnera blog post.

Google said an anonymous security researcher had reported the vulnerability to the company on Jan. 11. As is typical for Google with zero-day vulnerabilities, the company's bug disclosure did not offer any details on the flaw beyond noting that an exploit for CVE-2024-0519 exists in the wild. The vulnerability is one of three flaws that Google patched this week. The others are CVE-2024-0517, which is an out-of-bounds write issue in V8, and CVE-2024-0518, a type confusion flaw in V8.

A Flurry of Zero-Days for Chrome

CVE-2024-0519 adds to a growing list of zero-day bugs that researchers and attackers have discovered in Chrome in recent years. However, the eight Chrome zero-days that Google disclosed in 2023 were actually less than the nine it disclosed in 2022 and the troubling 15 from 2021.

Data in Google's 0day "In the Wild" spreadsheet shows that from 2014, when Google's Project Zero bug-hunting team first began tracking actively exploited zero-days, to the end of 2018, there were no publicly disclosed Chrome zero-days. Since then, between January 2019 and January 2024, Google has disclosed a total of 43 zero-day bugs in Chrome, many of which have also affected browsers based on Chromium technology, such as Microsoft Edge.

Seventeen of the zero-days — including the one that Google patched this week — affect the V8 JavaScript engine for the Chrome browser. Almost all of them were similar memory corruption issues that enabled a wide range of malicious activity.

Publicly released vulnerability data shows that Chrome is one of the most widely targeted technologies among attackers in recent years. Security analysts have pointed to Chrome's large customer base — it accounts for nearly 65% of browser market share worldwide — as one reason for the growing interest in the technology from both attackers and bug hunters. Another factor is the almost ubiquitous use of browsers for accessing applications, websites, documents, PDFs, and other content online. With browsers beginning to replace conventional client technologies, attackers have increasingly begun targeting them instead.

Growing Cyberattacker Interest in Browser Technology

While Chrome has been a favorite target, other browser technologies have not escaped researcher or attacker interest. Apple, for instance, has disclosed a total of 21 zero-day bugs in its WebKit browser engine since 2021 — 11 of them just last year.

Recently, both Apple and Google have warned of attackers seeking to exploit browser vulnerabilities for spying purposes. Last September, for instance, when Google disclosed a zero-day bug (CVE-2023-5217) in a Chrome software library, the company warned of a commercial vendor exploiting the flaw to drop the Predator spyware tool on affected Android devices.

Concerns over browser attacks appear to be pushing organizations to implement measures for securing browser use. In a survey of 150 CISOs that LayerX conducted last year, 87% of organizations in all-SaaS environments reported at least one browser-borne attack in the prior 12 months. Forty-seven percent had deployed controls for forced browser updates in their environment, 41% removed suspicious extensions, and 78% restricted non-corporate browser profiles.