Get Weekends Back: Put Chrome CVEs like CVE-2024-5274 on Auto-Patching
Last updated on: May 24, 2024
On May 9th, Google released an emergency update for its Chrome browser to patch a critical zero-day vulnerability, CVE-2024-4671. The “use after free” vulnerability affects the Visuals component of Chrome, which is responsible for rendering and displaying content. CVE-2024-4671 was identified and reported to Google by an anonymous researcher. The company has disclosed that this vulnerability is likely being actively exploited. This vulnerability exploits a flaw in which a program continues to use a memory pointer after it has been freed, potentially leading to unauthorized data manipulation or crashes.
As updates are deployed across various platforms, including Mac, Windows, and Linux, users should ensure they are running the latest version of Chrome. This can be checked by navigating to Settings > About Chrome. This proactive measure confirms that the patch is applied, protecting your system from potential exploits. If you find your browser is not up to date, it is recommended that you update it immediately.
Register for our upcoming webinar to learn how to fix Chrome vulnerabilities in under 3 hours.
Using Qualys and Zero-Touch Patching to Mitigate Risks
With the release of yet another Chrome update—marking the fifth this year—on a Friday, IT teams are looking at a potentially busy weekend. However, by utilizing Qualys Patch Management and its Zero-Touch Patching feature, IT teams can transform this situation from a demanding weekend at work into a seamless, automated process.
Zero-Touch Patching identifies the most vulnerable products in your environment and automates the deployment of necessary patches and configuration adjustments. This not only streamlines the patching process but also ensures vulnerabilities are addressed promptly without the need for weekend work.
It is strongly advised that patching approaches for desktops and laptops be differentiated from those used in server and production environments. Generally, the risk of disrupting core business functions by updating desktop applications is significantly lower than the potentially severe impacts in a production setting. Leveraging smart automation for third-party applications on desktops and laptops enables organizations to swiftly address new zero-day threats with minimal IT involvement or additional effort. Once the policy is established, the process becomes completely automated with Zero Touch.
Leveraging Qualys for Enhanced Security
For those not currently using Qualys, starting with a trial of Qualys Patch Management could be an effective way to bring this powerful tool into your cybersecurity arsenal. The same VMDR (Vulnerability Management, Detection, and Response) agent used for the trial enables the immediate deployment of patches, including those for newly identified vulnerabilities like CVE-2024-4671. Once these automated jobs are configured, future patches released by Google or other vendors can be automatically updated, safeguarding desktops and laptops without ongoing manual oversight.
This integrated approach reduces the risk of cyber threats and significantly lowers the operational burden on IT staff, allowing them to focus on other critical aspects of IT management and innovation.
Google Chrome Zero-Day Update CVE-2024-4947 – May 15, 2024
Google has issued (another) emergency Chrome update to address the third zero-day vulnerability exploited within a week. The high-severity flaw, CVE-2024-4947, is a type of confusion weakness in the Chrome V8 JavaScript engine, reported by Kaspersky researchers. This vulnerability can enable arbitrary code execution on targeted devices. The other two zero-days patched this week are CVE-2024-4671 and CVE-2024-4761, affecting the Visuals component and V8 engine, respectively. This marks the seventh actively exploited zero-day patch in Chrome this year. Microsoft is also working on a fix for the Chromium-based Edge browser.
We recommended updating to version 125.0.6422.60/.61 at this time. No additional risks posed by this vulnerability to customers using our products and services have been identified at this time. We continue to actively monitor and will deploy any needed mitigation countermeasures should they be required.
Google Chrome Zero-Day Update CVE-2024-5274 – May 24, 2024
Another Friday, another Chrome zero-day. Google has released another critical security update to address a high-severity flaw in its Chrome browser, tracked as CVE-2024-5274. This type of confusion vulnerability in the V8 JavaScript and WebAssembly engine can allow threat actors to manipulate variables, potentially leading to crashes, arbitrary code execution, or access control bypasses. The issue, discovered by researchers Clément Lecigne from Google Threat Analysis Group and Brendon Tiszka from Chrome Security, marks the fourth zero-day vulnerability Google has patched this month.
Qualys recommends that users upgrade to Chrome version 125.0.6422.112/.113 on Windows and macOS, and version 125.0.6422.112 on Linux to mitigate the risk of exploitation and ensure continued protection against evolving threats.