Chrome & Firefox Vulnerabilties
Lookout Coverage and Recommendation for Admins
To ensure your devices are protected, Lookout admins should take the following steps in their Lookout console:
- Enable the Application Vulnerability policy, which will detect when a vulnerable app version is on the device. Since there are known exploits, we suggest you set the severity to high and block user access to work data until they update the app.
- Lookout will publish the coverage on November 7th 2024 after which the alerts will be generated based on the admin's risk, response and escalation setup. Any device with vulnerable versions of Chrome (below the reported fixed version of 130.0.6723.58, Edge (below 130.0.2849.46), or Firefox (below 131.0.3) will receive an alert if detected after that date.
- Enable Lookout Phishing & Content Protection (PCP) to protect mobile users from malicious phishing campaigns that are built to exploit these vulnerabilities in order to phish credentials or deliver malicious apps to the device.
Overview
Google and Mozilla have both recently disclosed critical vulnerabilities in their respective Chrome and Firefox web browsers. The Chrome vulnerabilities are tracked as CVE-2024-9954 through CVE-2024-9966, CVE-2024-10230, and CVE-2024-10231. The Firefox vulnerabilities are tracked as CVE-2024-9680 and CVE-2024-9936.
CVE-2024-9954 through CVE-2024-9966 highlight various vulnerabilities in Google Chrome, including a use-after-free issue in AI (CVE-2024-9954) and another use-after-free in WebAuthentication (CVE-2024-9955). Additionally, CVE-2024-9956 identifies an inappropriate implementation in WebAuthentication specifically on Android devices. CVE-2024-10230 and CVE-2024-10231 are both Type Confusions in the Java V8 engine. All of the noted vulnerabilities could grant an attacker the ability to execute arbitrary code within the context of the browser by potentially exploiting heap corruptions.
In Firefox, CVE-2024-9680 could grant an attacker the ability to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. CVE-2024-9936 could allow an attack to cause unexpected behavior and crashes by manipulating the selection node cache.
Lookout Analysis
Vulnerabilities like these can have outsized impact on mobile fleets - especially when they exist in everyday apps such as mobile browsers. In addition to gaining remote access to vulnerable devices, successful exploits in browsers also frequently grant the attacker access to the same permissions as the browsers.
Each of the vulnerabilities disclosed can be exploited via a maliciously crafted webpage, which means that attackers can deliver them as URLs in the same way they would deliver phishing attacks on mobile. This means they would likely socially engineer an individual through SMS, iMessage, WhatsApp, Telegram, Instagram, LinkedIn, or any of the countless messaging and social media apps on mobile devices. A successful attack could lead to continued data leakage and risk for enterprise organizations.
Authors
Lookout
Lookout, Inc. is the data-centric cloud security company that uses a defense-in-depth strategy to address the different stages of a modern cybersecurity attack. Data is at the core of every organization, and our approach to cybersecurity is designed to protect that data within today’s evolving threat landscape no matter where or how it moves.
