The Indian Computer Emergency Response Team (CERT-In) has issued a warning about newly discovered vulnerabilities in Google Chrome that could pose significant risks to users.
These vulnerabilities, identified as CVE-2024-10826 and CVE-2024-10827, stem from a critical “use-after-free” issue in Chrome’s code, affecting versions of the browser across multiple operating systems.
The flaws, if exploited, could allow cybercriminals to execute arbitrary code, compromise sensitive data, or cause system crashes.
Overview of the Vulnerabilities in Google Chrome
The vulnerabilities, both classified as high severity, were officially reported in a CERT-In Vulnerability Note (CIVN-2024-0334) on November 8, 2024. They affect Google Chrome versions prior to 130.0.6723.116 for Linux, and versions before 130.0.6723.116/117 for Windows and macOS. The issues are linked to a use-after-free condition found in two specific components of the browser: Family Experiences and Serial.
The term use-after-free refers to a flaw in the software where a program continues to use memory that has already been freed or deallocated. This can result in unexpected behavior, including the execution of malicious code or a system crash. In this case, attackers could exploit these vulnerabilities by tricking users into visiting specially crafted websites, thereby triggering the flaw and taking control of the affected system.
The Risks of Exploiting These Google Chrome Vulnerabilities
The successful exploitation of the vulnerabilities in Google Chrome could lead to severe consequences for users. Among the potential risks are:
- Arbitrary Code Execution: An attacker could run malicious code on the victim’s machine, gaining unauthorized access to sensitive data or enabling the installation of malware.
- Denial of Service (DoS): A remote attacker could cause the browser or even the entire system to crash, disrupting the victim’s activities.
- Data Theft: With the ability to execute arbitrary code, attackers could gain access to personal information, login credentials, and other sensitive data stored in the browser.
- System Instability: The vulnerabilities could cause browser instability or system crashes, leading to downtime and potential data loss.
Details of the Affected Components
The two identified vulnerabilities—CVE-2024-10826 and CVE-2024-10827—are associated with the Family Experiences and Serial components of Google Chrome:
- CVE-2024-10826: This flaw affects the Family Experiences feature of Chrome, a component designed to help users manage family and child accounts. The vulnerability could allow attackers to exploit the flaw and execute arbitrary code on the victim’s device. This issue was reported by an anonymous security researcher on September 29, 2024.
- CVE-2024-10827: The second vulnerability, which affects the Serial component of the browser, was reported on October 23, 2024. This component handles communication with serial devices, and a use-after-free condition in this area could similarly lead to the execution of malicious code or system instability.
Both vulnerabilities were considered high-risk due to their potential to allow remote attackers to take control of the affected systems.
The Fix: Google Chrome Security Update
Google has already rolled out an update to address these vulnerabilities. Users are strongly advised to upgrade to the latest stable version of Google Chrome to protect against these security risks. The update, version 130.0.6723.116/117, is available for Windows, macOS, and Linux systems. Specifically, users on Linux should update to 130.0.6723.116, while users on Windows and macOS should upgrade to 130.0.6723.116 or 130.0.6723.117, depending on their system.
The official Google Chrome blog confirmed the update on November 5, 2024, announcing that the Stable Channel for Chrome had been updated, with the new version rolling out gradually over the following days. It also mentioned that the Extended Stable Channel was updated to version 130.0.6723.117 for Windows and macOS.
Google has thanked the external security researchers who contributed to identifying and reporting these vulnerabilities. In particular, the company highlighted the work done by an anonymous researcher who reported CVE-2024-10826 in September and another anonymous researcher who reported CVE-2024-10827 in October.