CVE-2024-8904, 9602, & 9603
Lookout Coverage and Recommendation for Admins
To ensure your devices are protected, Lookout admins should take the following steps in their Lookout console:
- Enable the Application Vulnerability policy, which will detect when a vulnerable app version is on the device. Since there are known exploits, we suggest you set the severity to high and block user access to work data until they update the app.
- Lookout will publish the coverage on October 24th, 2024 after which the alerts will be generated based on the admin's risk, response and escalation setup. Any device with vulnerable versions of Chrome (below the reported fixed version of 129.0.6668.100) will receive an alert if detected after that date. Devices with unpatched versions of Microsoft Edge will be alerted on any version below 129.0.2792.92.
- Enable Lookout Phishing & Content Protection (PCP) to protect mobile users from malicious phishing campaigns that are built to exploit these vulnerabilities in order to phish credentials or deliver malicious apps to the device.
Overview
Google has reported three new vulnerabilities in Chromium based browsers. Tracked as CVE-2024-8904, CVE-2024-9602, and CVE-2024-9603, these vulnerabilities affect an unknown code block of the component V8, which interprets and executes Javascript code in web applications. The type confusion in V8 in Chromium’s unpatched versions allows a remote attacker to potentially exploit heap corruption via a crafted HTML page resulting in bad actors gaining remote code execution in the context of the Chromium process. Because of the shared reliance of Chromium code by other browsers, it is known to affect Microsoft Edge along with Chrome browser on mobile. Any version of Chrome prior to 129.0.6668.100 and MS edge prior to 129.0.2792.92 is vulnerable.
The National Vulnerability Database (NVD) has given each of these vulnerabilities a base score of 8.8/10, which is very high because of the fact the exploitation appears to be easy, the attack can be launched remotely, and the exploitation doesn't need any form of authentication.
Lookout Analysis
CVE-2024-8904, CVE-2024-9602, and CVE-2024-9603 have been described as type confusion bugs in V8, allowing a remote attacker to potentially exploit heap corruption via a crafted HTML page. When type confusions occur in the underlying engines, it’s typically the result of code performing its expected operations on an object that is not of the class expected by the code. This confusion can be manipulated and is exploitable by threat actors. As a result, it affects the integrity and confidentiality of sensitive information for the end users.
Vulnerabilities like these can have outsized impact on mobile fleets. Since Chrome is by far the most widely-used mobile web browser with roughly 65% market share, it’s extremely unlikely for an enterprise organization to not have users who are at risk. Successfully exploiting vulnerabilities like this often grant the attacker access to the same permissions that Chrome has. It’s also important to note that this is the tenth zero-day that has been discovered in Chrome this year, which demonstrates the importance of keeping apps up to date.
Authors
Lookout
Lookout, Inc. is the data-centric cloud security company that uses a defense-in-depth strategy to address the different stages of a modern cybersecurity attack. Data is at the core of every organization, and our approach to cybersecurity is designed to protect that data within today’s evolving threat landscape no matter where or how it moves.
