Google Chrome dominates the desktop browser market, which means it’s the default for a billion-plus Windows users. Google’s last Chrome security update was a rather muted affair. Yes, there were a handful of patches in the mix—albeit nothing too exciting. The more interesting news was Windows Hello sign-on by default. Now though, normality is restored, and a more urgent update warning has just been issued. And so the usual advice applies—update Chrome as soon as you can.
Stable channel 123.0.6312.86/.87 includes a critical security fix for CVE-2024-2883, and there are three high risk fixes as well. As Google explains, “critical severity issues allow an attacker run arbitrary code on the underlying platform with the user’s privileges in the normal course of browsing.”
In short, this implies an issue where a maliciously constructed webpage could exploit a memory vulnerability on your PC, potentially giving an attacker access.
Google doesn’t publish much detail on such security issues until time has been given for users to update their browsers; once made public, a clock starts ticking and the risk of exploitation increases. But Google does “aim to deploy the patch to all Chrome users in under 30 days,” when it’s critical, which illustrates the urgency here.
The type of vulnerability seen here is known as “use after free,” which means that the pointer to a memory location on the device is not cleared once that memory has been freed up. That pointer to the now free memory can be exploited by an attacker as part of an attack chain. There is no suggestion yet that this current vulnerability has been exploited. Two of the three high-risk patched vulnerabilities are also UAF.
As Kaspersky explains, “because dynamic memory is reallocated repeatedly, programs need to check constantly which sections of the heap are free and which are occupied. Here, headers help by referencing allocated memory areas. Each header contains the starting address of the corresponding block. UAF bugs arise when programs do not manage these headers properly.”
When that happens, “if the program then allocates this same chunk of memory to another object (for example, data entered by an attacker), the dangling pointer will now reference this new data set. In other words, UAF vulnerabilities allow for code substitution,” which means tricking the device into executing malicious code.
You should set Chrome to update automatically, but as with all apps and platforms, when there’s a critical patch it’s worth checking that the update has been downloaded and installed, and if not doing so manually as soon as it’s available.
