WNE Security News

Read more about “(CVE-2024-6290, CVE-2024-6292, CVE-2024-6293)” and the most important cybersecurity news to stay up to date with

Google Chrome Arbitrary Code Execution (CVE-2024-6290, CVE-2024-6292, CVE-2024-6293)

Cybersecurity Service Provider

WNE Security Publisher

6/26/2024

CVE-2024-62920 CVE-2024-6292 & CVE-2024-6293 Base Score:

9.0

(CVE-2024-6290, CVE-2024-6292, CVE-2024-6293)

 

Learn about

(CVE-2024-6290, CVE-2024-6292, CVE-2024-6293)

and other newly exploited vulnerabilities and new best practices by subscribing to our newsletter.

(CVE-2024-6290, CVE-2024-6292, CVE-2024-6293) Description

These vulnerabilities are classified as Use-after-free (UAF) flaws in Dawn, a critical component of Google Chrome’s graphics pipeline. They affect Google Chrome versions prior to 126.0.6478.126.

The vulnerabilities allow a remote attacker to potentially exploit heap corruption via a crafted HTML page. Specifically:

  1. Nature of the Vulnerability: These are memory corruption flaws where the program continues to use a pointer after the memory it points to has been freed.
  2. Attack Vector: An attacker could craft a malicious HTML page designed to trigger the use of previously freed memory in Dawn.
  3. Potential Impact: If successfully exploited, these vulnerabilities could allow an attacker to:
    • Execute arbitrary code on the victim’s system
    • Cause browser crashes
    • Potentially access or manipulate sensitive data
  4. Severity: These vulnerabilities are rated as High severity in the Chromium security scale.
  5. Exploitability: The use of previously-freed memory can have various adverse consequences, ranging from the corruption of valid data to the execution of arbitrary code, depending on the specific circumstances of the flaw.
  6. Root Cause: These vulnerabilities likely stem from improper handling of memory allocation and deallocation in the Dawn component, possibly due to error conditions, exceptional circumstances, or confusion over which part of the program is responsible for freeing memory.

What is Affected By (CVE-2024-6290, CVE-2024-6292, CVE-2024-6293)

Affected Software: Google Chrome prior to version 126.0.6478.126/127 for Windows and Mac Google Chrome prior to version 126.0.6478.126 for Linux

Affected Components: Dawn, which is a critical component of Google Chrome’s graphics pipeline. Dawn is responsible for efficient GPU computation and rendering in Chrome.

Affected Systems:

  1. Windows-based systems running vulnerable versions of Google Chrome
  2. Mac-based systems running vulnerable versions of Google Chrome
  3. Linux-based systems running vulnerable versions of Google Chrome

Affected Users: While all users of vulnerable Chrome versions are potentially at risk, the impact varies:

  1. High risk for users in large and medium government entities and businesses
  2. Medium risk for users in small government entities and businesses
  3. Low risk for home users
  4. Users with administrative rights are at higher risk compared to those with limited user permissions

Affected Browser Functionality: These vulnerabilities potentially affect the browser’s ability to safely render graphics, which could impact:

  1. General web browsing safety
  2. The integrity of displayed content
  3. The overall stability of the browser

Affected Security Aspects:

  1. Integrity: The vulnerabilities could allow unauthorized modification of data
  2. Confidentiality: There’s potential for unauthorized access to sensitive information
  3. Availability: The flaws could lead to browser crashes or system instability

Affected Development and Security Practices: These vulnerabilities highlight the need for:

  1. Robust memory management practices in browser development
  2. Regular security audits and updates
  3. Improved error handling and resource management in graphics processing components

It’s important to note that while these vulnerabilities are serious, they are only exploitable through specific, crafted HTML pages. Users who have updated to Chrome version 126.0.6478.126 or later are not affected by these particular vulnerabilities.

 

Mitigation and Remediation For (CVE-2024-6290, CVE-2024-6292, CVE-2024-6293)

  • Update Google Chrome:
    • The primary and most crucial step is to update Google Chrome to version 126.0.6478.126 or later.
    • For Windows and Mac: Update to version 126.0.6478.126/127 or later.
    • For Linux: Update to version 126.0.6478.126 or later.
  • Enable Automatic Updates:
    • Configure Chrome to automatically install updates to ensure timely application of security patches.
  • Implement the Principle of Least Privilege:
    • Run Chrome and other software with non-administrative privileges to minimize the impact of potential attacks.
  • Enable Anti-exploitation Features:
    • Utilize built-in security features like Microsoft Data Execution Prevention (DEP) on Windows.
    • On Mac, ensure System Integrity Protection (SIP) and Gatekeeper are enabled.
  • Use DNS Filtering and URL Filters:
    • Implement DNS filtering services to block access to known malicious domains.
    • Enforce and update network-based URL filters to limit connections to potentially malicious websites.
  • User Education:
    • Train users to recognize social engineering attacks and practice safe browsing habits.
    • Educate users about the importance of keeping software updated.
  • Application Isolation:
    • Consider running web browsers in sandboxed environments when possible.
  • Maintain a Robust Vulnerability Management Process:
    • Establish and maintain a documented vulnerability management process.
    • Perform automated application patch management on a monthly or more frequent basis.
  • Restrict Web-Based Content:
    • Limit use of certain websites, block downloads/attachments, and restrict browser extensions where appropriate.

Subscribe Today

We don’t spam! Read our privacy policy for more info.

Learn more about WNE Security products and services that can help keep you cyber safe.

Learn about

(CVE-2024-6290, CVE-2024-6292, CVE-2024-6293)

and other vulnerabilities and best practices by subscribing to our newsletter.


Subscribe to WNE Security’s newsletter for the latest cybersecurity best practices, 0-days, and breaking news. Or learn more about “(CVE-2024-6290, CVE-2024-6292, CVE-2024-6293)”  by clicking the links below

Check Out Some Other Articles

Learn How To Secure A Work From Home Environment by implementing VPN, Drawing Boundaries for Work Devices, Securing Routers, Limit Data Access/least …

Google Chrome Security Settings for the most Secure Google Chrome Browser starts with enabling automatic updates, Safe Browsing, security extension/extension…

Ransomware is more than just a headline—it’s a rising threat. Learn about its mechanics, its consequences, and why staying informed is your best defense.