Google has issued its latest Chrome update for 2 billion Microsoft Windows, with three high-severity vulnerabilities fixed. As ever, users are urged to update their browsers right away. Timing-wise, just as this latest update has hit users, so have details of a dangerous exploitation of a Chrome security threat that tricked users into visiting a website with “a hidden script that “launched a zero-day exploit and giving the attackers complete control over the victim’s PC.”
Windows users can now update their browsers to 130.0.6723.69/.70, which should download automatically. Just make sure you restart two ensure the update installs. While one of the three fixes affects the use of extensions, the other two are more typical memory risks with the underlying V8 engine that powers Chrome. All three fixes were disclosed by external security researchers.
This update comes as Kaspersky’s research team has published details of a Chrome vulnerability that Google disclosed and fixed back in May. That team has now shared “in great detail the vulnerabilities exploited by the attackers and the game they used as bait (we had to develop our own server for this online game).”
The exploited zero-day is CVE-2024-4947, which I reported on at the time and for which Google quickly warned “an exploit exists in the wild.” Just as with two of the fixes this week, that threat was a “type confusion in V8.” The US government’s cybersecurity agency added CVE-2024-4947 to its Known Exploited Vulnerability catalog, and ordered all federal employees to update their PCs. No word yet of any active exploits this time around, albeit that could change.
Kaspersky attributes those attacks to the APT group Lazarus, “a highly sophisticated and multifaceted Korean-speaking threat actor.” The backdoor attack leveraged the group’s Manuscrypt tool—malware Lazarus “has been employing since at least 2013,” Kaspersky says. “We’ve documented its usage in 50+ unique campaigns targeting governments, diplomatic entities, financial institutions, military and defense contractors, cryptocurrency platforms, IT and telecommunication operators, gaming companies, media outlets, casinos, universities, and even security researchers.”
The attack was picked up on the PC of an home user, who had visited detankzone[.]com. “This website resembled a professionally designed product page for a decentralized finance (DeFi) NFT-based (non-fungible token) multiplayer online battle arena (MOBA) tank game, inviting users to download a trial version. But that was just a disguise.” The dangerous script was hidden behind the site. “Visiting the website was all it took to get infected — the game was just a distraction.”
Microsoft also published an advisory warning that a North Korean threat actor had exploited Chrome’s zero-day, but Kaspersky’s report delves further into the details behind the attack, a pretty stark warning for users as to how easily they can be compromised, following breadcrumbs left by attack sets as they browse the web.
So, why such regular V8 vulnerabilities? Kaspersky explains that “the heart of every web browser is its JavaScript engine. The JavaScript engine of Google Chrome is called V8 — Google’s own open-source JavaScript engine. For lower memory consumption and maximum speed, V8 uses a fairly complex JavaScript compilation pipeline, currently consisting of one interpreter and three JIT compilers.” CVE-2024-4947 was a vulnerability in a new, optimized compiler within v8.
For almost all of those 2 billion Chrome users the only two details that matter are the way in which attackers lure victims to visit malicious sites, through social media posts and phishing emails, driving visits to a website set up specifically to execute the attack. In this case the game. This is why clicking such links is so discouraged. Once the exploit executes, an attacker starts to pull your data. Starting with cookies and credentials within Chrome, but potentially expanding out to your PC itself. Which brings us to the second critical point—keep your browser updated.
“Historically,” Kaspersky says, half of the bugs discovered or exploited in Google Chrome and other web browsers have affected its compilers. Huge changes in the code base of the web browser and the introduction of new JIT compilers inevitably lead to a large number of new vulnerabilities.” Chrome is working on its V8 sandbox to reduce such memory vulnerabilities, while Microsoft Edge’s approach doesn’t leave it exposed in the same way. This is why Microsoft has been pushing Edge as a more secure alternative to Chrome, leveraging warnings exactly like this one.
The ironic twist here is Kaspersky reporting on a Google vulnerability just as its software is dropped from Google’s Play Store following its US ban. Timing, as they say, is everything after all. Regardless, Kaspersky’s report exposes the danger of V8 memory vulnerabilities, with two further high-severity threats now fixed. Users should ensure they update to the latest version of the browser right away.
