Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution

june 01, 2024

On May 31, 2024, Google released updates to address several critical vulnerabilities in Google Chrome, the most severe of which could allow for arbitrary code execution. These vulnerabilities were discovered in various components of the browser, including WebRTC, Dawn, Media Session, Presentation API, and Streams API. The vulnerabilities were reported by various security researchers and have been assigned CVE numbers ranging from CVE-2024-5493 to CVE-2024-5499.

### Overview of the Vulnerabilities

1. **CVE-2024-5493: Heap Buffer Overflow in WebRTC**

- This vulnerability, reported by Cassidy Kim, is a heap buffer overflow in WebRTC. It allows an attacker to execute arbitrary code in the context of the logged-on user, potentially leading to the installation of programs, viewing, changing, or deleting data, or creating new accounts with full user rights.

2. **CVE-2024-5494: Use After Free in Dawn**

- This vulnerability, also reported by Cassidy Kim, is a use-after-free issue in Dawn. It allows an attacker to exploit the vulnerability by creating a malicious HTML page that can execute arbitrary code in the context of the logged-on user.

3. **CVE-2024-5495: Use After Free in Dawn**

- This vulnerability, reported by wgslfuzz, is another use-after-free issue in Dawn. It allows an attacker to exploit the vulnerability by creating a malicious HTML page that can execute arbitrary code in the context of the logged-on user.

4. **CVE-2024-5496: Use After Free in Media Session**

- This vulnerability, reported by wgslfuzz, is a use-after-free issue in Media Session. It allows an attacker to exploit the vulnerability by creating a malicious HTML page that can execute arbitrary code in the context of the logged-on user.

5. **CVE-2024-5497: Out of Bounds Memory Access in Keyboard Inputs**

- This vulnerability, reported by zh1x1an1221 of Ant Group Tianqiong Security Lab, is an out-of-bounds memory access in Keyboard Inputs. It allows an attacker to exploit the vulnerability by creating a malicious HTML page that can execute arbitrary code in the context of the logged-on user.

6. **CVE-2024-5498: Use After Free in Presentation API**

- This vulnerability, reported by anymous, is a use-after-free issue in Presentation API. It allows an attacker to exploit the vulnerability by creating a malicious HTML page that can execute arbitrary code in the context of the logged-on user.

7. **CVE-2024-5499: Out of Bounds Write in Streams API**

- This vulnerability, reported by anonymous, is an out-of-bounds write in Streams API. It allows an attacker to execute arbitrary code in the context of the logged-on user, potentially leading to the installation of programs, viewing, changing, or deleting data, or creating new accounts with full user rights.

### Impact and Recommendations

These vulnerabilities could allow an attacker to execute arbitrary code in the context of the logged-on user, potentially leading to significant security risks. Users are advised to apply the latest updates provided by Google to vulnerable systems immediately after appropriate testing. Additionally, implementing additional security measures such as changing passwords, identifying local accounts with password-only authentication, and preventing local accounts from connecting to VPN with password authentication can help mitigate the risks associated with these vulnerabilities.

### Conclusion

The recent updates to Google Chrome address several critical vulnerabilities that could allow for arbitrary code execution. These vulnerabilities highlight the importance of ongoing security research and the need for users to stay up-to-date with the latest security patches. By applying these updates and implementing additional security measures, users can significantly reduce the risk of exploitation and protect their systems from potential threats.

### References

- [] Google Chrome Releases. (2024, May 31). Chrome Dev for Desktop Update. Retrieved from https://chromereleases.googleblog.com

- [] CISecurity. (2024, May 31). Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution. Retrieved from https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-google-chrome-could-allow-for-arbitrary-code-execution_2024-064

- [] Ubuntu. (2024, May 30). CVE-2024-5499. Retrieved from https://ubuntu.com/security/CVE-2024-5499

Trending

The Silent Threat in Systems: Two New Vulnerabilities in Tenable Network Monitor

2025 Vulnerabilities in Real Estate Software

Critical Security Vulnerabilities in Dell ControlVault3 Firmware

Remote Code Execution in EV Charging Stations

Server-Side Request Forgery (SSRF) Vulnerability in SmartRobot by INTUMIT

Critical CSRF Vulnerability in Siemens SIMATIC S7-1200 PLCs: Exploitation and Defense

Prisma Access Browser Security Update: Take Action to Address Critical Vulnerabilities

Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution

Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution

### Overview of the Vulnerabilities

### Impact and Recommendations

### Conclusion

### References

Post a Comment

İletişim Formu